High Severity CVE in electron-forge/maker-zip via cross-zip

[adsnash]

Pre-flight checklist

• I have read the contribution documentation for this project.
• I agree to follow the code of conduct that this project uses.
• I have searched the issue tracker for a bug that matches the one I want to file, without success.

Forge version

N/A

Electron version

N/A

Operating system

N/A

Last known working Forge version

N/A

Expected behavior

Dependency scanning reveals no security risks

Actual behavior

Dependency scanning reveals a high severity CVE in electron-forge/maker-zip via cross-zip

Steps to reproduce

npm will complain when simply installing maker-zip. To run a full end-to-end test and see the results from gemnasium (which first picked it up for me), you can do this:

# clean spot to test
mkdir tmp && cd tmp

# package.json with single dep: maker-zip
cat > package.json << EOF
{
  "name": "maker-zip-test",
  "version": "1.0.0",
  "dependencies": {
    "@electron-forge/maker-zip": "^7.9.0"
  }
}
EOF

# install to create package-lock.json, which includes vulnerable cross-env
npm i

# run gemnasium scanner - results will be in out/gl-dependency-scanning-report.json 
docker run --rm -v $PWD:/code -v $PWD/out:/out registry.gitlab.com/security-products/gemnasium:5 /analyzer run --max-depth 5 --artifact-dir /out --target-dir /code

Additional information

Hello folks!

It looks like as of last week, there is a high severity CVE on cross-zip, which is a dependency of electron-forge/maker-zip.

The library in question:

https://github.com/feross/cross-zip

CVE advisories:

GHSA-gj5f-73vh-wpf7
https://security.snyk.io/vuln/SNYK-JS-CROSSZIP-6105396
https://nvd.nist.gov/vuln/detail/CVE-2025-11569

It doesn't look like the cross-zip library is actively maintained - the last push to main was over a year ago. Furthermore, ALL versions of cross-zip are impacted, so there's no older version to rollback to unfortunately.

Reminds me of this classic: https://xkcd.com/2347/

I also posted about this in discord, just doing my part to bring it to the team's attention!

[MarshallOfSound]

It is my opinion that that CVE is absolute nonsense and should be ignored, I've reached out to github to have the GHSA taken down. It's the most stupid GHSA I've read in a while....

Leaving this issue open while I chase it down with the GHSA team

[czhou578]

Same issue here. Let us know if there are any updates on this!