Skip to content

fix: Code injection in fsevents#27

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/fsevents-cve-2023-45311
Draft

fix: Code injection in fsevents#27
galanko wants to merge 1 commit into
masterfrom
opensec/fix/fsevents-cve-2023-45311

Conversation

@galanko

@galanko galanko commented May 15, 2026

Copy link
Copy Markdown

Summary

Automated remediation for critical CVE-2023-45311 in fsevents dependency.

This critical vulnerability (CVSS 9.8) affects fsevents < 1.2.11 and could allow arbitrary code execution via compromised binaries distributed from S3.

Changes

  • Added explicit fsevents@^1.2.11 dependency in package.json
  • Updated package-lock.json with new dependency resolution (resolves to v1.2.13)
  • Verified npm install completes without errors
  • Verified test suite runs without regressions

Fix Details

  • Vulnerability: Code injection in fsevents binary distribution (CVE-2023-45311)
  • Affected versions: < 1.2.11
  • Fix: Upgrade to fsevents@^1.2.11 or higher
  • Impact: Minimal risk patch update maintaining full API compatibility
  • Risk of not upgrading: Complete codebase and deployment infrastructure compromise

Generated by OpenSec remediation agent

Add explicit fsevents@^1.2.11 dependency to remediate CVE-2023-45311.
This critical security vulnerability could allow arbitrary code execution
via the compromised fsevents binary distribution from S3. The dependency
resolves to version 1.2.13 which contains the fix.

- Updated package.json to include fsevents@^1.2.11
- Updated package-lock.json with new dependency tree (1.2.13)
- Verified build completes successfully
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant