Commitlint: @commitlint/parse using outdated version of conventional-changelog-angular

Created on 30 Jul 2020  路  7Comments  路  Source: conventional-changelog/commitlint

dot-prop dependency security issue was addressed as part of PR at https://github.com/conventional-changelog/conventional-changelog/pull/647

Affected packages

  • [ ] cli
  • [X] core
  • [ ] prompt
  • [ ] config-angular

Possible Solution

update package.json

Context

Allows for prototype pollution: https://github.com/advisories/GHSA-ff7x-qrg7-qggm

dependencies

All 7 comments

It's already merged. Next @next release will include this: https://github.com/conventional-changelog/commitlint/pull/2056

Please give this a try:
yarn add -D @commitlint/config-conventional@next @commitlint/cli@next
v10.0.0 should fix this.

@escapedcat thank you. I'm updating right now.

The issue persists, @commitlint/parse is still declaring conventional-changelog-angular "^5.0.0" in its package.json: https://github.com/conventional-changelog/commitlint/blob/cb1028ef2700d86991c69a1e2ad391bc1bdc9d90/%40commitlint/parse/package.json#L41

@glumia because of the ^ in ^5.0.0 it should install 5.0.11 on npm install. Maybe try a fresh install or check what your lock file says?

Aaa you are right sorry! There must be some problem with yarn because I solved the issue just removing by hand a line in the lock file* 馃槄

Thanks!

*I was somehow ending up with two lines for conventional-changelog-angular@^5.x.x in the yarn.lock file, one was causing the install of version 5.0.11 and the other one of version 5.0.10 (that brought the vulnerability issue).

v11.0.0 has been released as @latest

Was this page helpful?
0 / 5 - 0 ratings

Related issues

topocount picture topocount  路  3Comments

ResDiaryLewis picture ResDiaryLewis  路  4Comments

juliuscc picture juliuscc  路  3Comments

kirillgroshkov picture kirillgroshkov  路  3Comments

MathiasKandelborg picture MathiasKandelborg  路  3Comments