Commitlint: Yargs-parser security vulnerability for commitlint-cli

Created on 2 May 2020  路  13Comments  路  Source: conventional-changelog/commitlint

Expected Behavior

No security vulnerabilities.

Current Behavior

Running npm audit results in the following report

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/lint > @commitlint/parse >      
                  conventional-commits-parser > meow > yargs-parser             

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/read > git-raw-commits > meow   
                  > yargs-parser                                                

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

  Dependency of   @commitlint/cli [dev]

  Path            @commitlint/cli > meow > yargs-parser

  More info       https://npmjs.com/advisories/1500

found 3 low severity vulnerabilities in 894217 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Affected packages

  • [x] cli
  • [ ] core
  • [ ] prompt
  • [ ] config-angular

Possible Solution

The latest version of yargs-parser does not have this vulnerability. Recommend upgrading. Additionally recommend using the Snyk bot as it will regularly catch these and make PRs to solve security issues.

Steps to Reproduce (for bugs)

  1. npm init to make new project
  2. Add the following lines to dependencies
    "@commitlint/cli": "^8.3.5",
    "@commitlint/config-conventional": "^8.3.4",
  1. npm install and then npm audit

Your Environment

| Executable | Version |
| ---------------------: | :------ |
| commitlint --version | 6.14.4|
| git --version | git version 2.24.1.windows.2|
| node --version | v12.16.2 |

high

Most helpful comment

Just made a PR, but tests are failing: https://github.com/conventional-changelog/commitlint/pull/1694
Feel free to help debugging.

All 13 comments

Yup. Having the same problem at my end.

Screenshot from 2020-05-11 10-54-21

Just made a PR, but tests are failing: https://github.com/conventional-changelog/commitlint/pull/1694
Feel free to help debugging.

Any update about this?

Sorry, not sure when we have time to look into this. Feel free to help debugging.
Maybe adding a resolution for yargs-parser like we did in other cases might work better than updating meow? Just a thought. Didn't check the details.

Updating the dependency version of the package-lock.json resolves.

  1. package-lock.json - @@commitlint/cli - requires - meow version update to 7.0.1
  2. rm node_modules
  3. npm install
  4. npm audit
    found 0 vulnerabilities
    solved

Great if that works for you.
For the renovate-bot MR several tests are failing that's why we haven't merged this so far.
Feel free to look into this.

This is still an issue!

@escapedcat Can we focus on this issue, we use this package in webpack/webpack contrib orgs and we have problems with audit a long time + new release 9.1.0 is not under latest dist tag, what is also bad.

9.1.0 is available under next at the moment. Will be latest soon.

For further discussions regarding this issue I suggest to join the #commitlint room here: https://devtoolscommunity.herokuapp.com/

@byCedric I think if we focus on this one there's a chance to get rid of meow, use yargs-parser directly and update it to latest: https://github.com/conventional-changelog/commitlint/pull/1939

Released under next for now, please give it a try, i.e.:

yarn add -D @commitlint/config-conventional@next @commitlint/cli@next

image
no file is loading properly if anyone solution to this problem then plz tell me.

@sivanirupavat the issue in your screenshot is not related to commitlint if I read this correct

Was this page helpful?
0 / 5 - 0 ratings