npm audit reports finding 2 vulnerabilities
Although the security warning relates to Lodash, it actuall the Vorpal package causing the problem - it hasn't been updated for months, and appears to be dead
There should be no vulnerabilities.
npm reports
found 2 vulnerabilities (1 low, 1 moderate) in 115 scanned packages
2 vulnerabilities require manual review. See the full report for details.
npm install --save-dev @commitlint/promptnpm audit === npm audit security report ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Manual Review โ
โ Some vulnerabilities require your attention to resolve โ
โ โ
โ Visit https://go.npm.me/audit-guide for additional guidance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Moderate โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.17.11 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @commitlint/prompt [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @commitlint/prompt > vorpal > inquirer > lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://nodesecurity.io/advisories/782 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.17.5 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @commitlint/prompt [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @commitlint/prompt > vorpal > inquirer > lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://nodesecurity.io/advisories/577 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
found 2 vulnerabilities (1 low, 1 moderate) in 115 scanned packages
2 vulnerabilities require manual review. See the full report for details.
| Executable | Version |
| ---: | :--- |
| commitlint/prompt --version | 7.5.0 |
| git --version | 2.17.2 |
| node --version | 11.2.0 |
@marionebl @escapedcat I think we need to work on #402 to fix this one, Vorpal hasn't been updated in over 2 years. @notquitedilbert thanks for reporting!
There's an effort to update vorpal but the critical deps are also not updated so far.
@byCedric @marionebl you know an alternative to vorpal which could be used?
Let's do this:
@commitlint/prompt-cli to use ink instead of vorpal.@commitlint/prompt a "true" commitizen adapter, changing the UX to commitizen's defaultsWhat do you think?
Any updates on this? Is @commitlint/prompt-cli being migrated to ink?
@hugomn I think our latest thoughts were to discontinue prompt-cli and replace it with a (native?) commitizen adapter (did I explain this correct? @marionebl @byCedric).
We actually wanted to open an issue here and ask for feedback of others. What do you think?
@escapedcat I'm not sure if I got exactly what "replace with a native commitizen adapter" means. But anyway, I think it's a good idea to open a new issue to discuss this migration. These 2 security vulnerabilities are hanging here for a while.
Right now the @commitlint/prompt is implemented with a custom "inquirer" (the library that asks the questions). It's partly using Commitizen, and part custom. Exactly this custom part is the "troublemaker" here. I think it was built like this because @commitlint/prompt-cli was created before Commitizen was done, but I might be wrong here.
Now we want to rewrite the @commitlint/prompt in such a way that it fully uses Commitizen with your current commitlint config, no custom part, no audit warnings, and no extra config. Unfortunately, this is set for "phase 3" of the TypeScript port. This port is important for us to make it less maintenance intensive, stable and way cleaner to work with. Once we have that in place, I'll make the extra effort to replace that part and fix this issue.
Please be aware that the
@commitlint/prompt-cliwill be deprecated in the future to solely use the@commitlint/promptadapter with Commitizen. We will open a ticket about this soon, further explaining why this will go.
TL;DR; We are working on a full TypeScript port of Commitlint, once that's done this part will be replaced and fixed! ๐
@escapedcat @marionebl This is the proper longer explanation right?
Hi guys, I understand porting to TS has a higher priority but this issue stops us from using commitlint in our products. As mentioned at the vorpal issue, is it possible to switch to use the fork before we have a proper rewrite?
As this has became a bit stale, I would like to ask if you were to welcome a PR that follows up on @superliuwr comment above?
Hey @asciidisco , sure, happy if you want to give it a try.
Any update on this? @byCedric do you know if there is an ETA on when #659 will be completed?
Most helpful comment
Hi guys, I understand porting to TS has a higher priority but this issue stops us from using commitlint in our products. As mentioned at the vorpal issue, is it possible to switch to use the fork before we have a proper rewrite?