dot-prop dependency security issue was addressed as part of PR at https://github.com/conventional-changelog/conventional-changelog/pull/647
update package.json
Allows for prototype pollution: https://github.com/advisories/GHSA-ff7x-qrg7-qggm
It's already merged. Next @next release will include this: https://github.com/conventional-changelog/commitlint/pull/2056
Please give this a try:
yarn add -D @commitlint/config-conventional@next @commitlint/cli@next
v10.0.0 should fix this.
@escapedcat thank you. I'm updating right now.
The issue persists, @commitlint/parse is still declaring conventional-changelog-angular "^5.0.0" in its package.json: https://github.com/conventional-changelog/commitlint/blob/cb1028ef2700d86991c69a1e2ad391bc1bdc9d90/%40commitlint/parse/package.json#L41
@glumia because of the ^ in ^5.0.0 it should install 5.0.11 on npm install. Maybe try a fresh install or check what your lock file says?
Aaa you are right sorry! There must be some problem with yarn because I solved the issue just removing by hand a line in the lock file* 馃槄
Thanks!
*I was somehow ending up with two lines for conventional-changelog-angular@^5.x.x in the yarn.lock file, one was causing the install of version 5.0.11 and the other one of version 5.0.10 (that brought the vulnerability issue).
v11.0.0 has been released as @latest