Commitlint: npm audit issue for @commitlint/config-conventional (dot-prop)

Created on 30 Jul 2020  路  9Comments  路  Source: conventional-changelog/commitlint

We have encountered an npm audit issue regarding @commitlint/config-conventional

Screenshot 2020-07-30 at 3 02 15 PM

It is understood that the version fix is already in master but is yet to be published. https://github.com/conventional-changelog/commitlint/commit/44144ca7ac2b8e748e717f2dc6be2c5b1ea1f124

Expected Behavior

Has no/low npm audit issue.

Current Behavior

Version 9.1.2 is having the npm audit issue.

Affected packages

  • [ ] cli
  • [x] core
  • [ ] prompt
  • [ ] config-angular

Possible Solution


Steps to Reproduce (for bugs)


  1. First step
  2. Second step


commitlint.config.js


Context

Affecting our CI flow with npm audit checks. The advisory was published 29 July 2020.

Your Environment

| Executable | Version |
| ---------------------: | :------ |
| commitlint --version | VERSION |
| git --version | VERSION |
| node --version | 10.16.0 |

dependencies

Most helpful comment

We'll switch next to latest soon and create a new next from current master.
This duplicates/relates to #2032 (Edit: it does not)

All 9 comments

We'll switch next to latest soon and create a new next from current master.
This duplicates/relates to #2032 (Edit: it does not)

Thank you :) looking forward to it :)

Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.

@escapedcat

Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.

This might be a na茂ve question, but how is that related to lerna?

As far as I can tell, the faulty package in the dependency chain @commitlint/config-conventional > conventional-changelog-conventionalcommits > compare-func > dot-prop is @commitlint/config-conventional installing version 4.3.0 of conventional-changelog-conventionalcommits which doesn鈥檛 seem to have the updated version of the compare-func dependency.

I鈥檓 not exactly sure I read that right, though.

Hey @kleinfreund ,

first up, there's a high chance that I'm wrong, so all questions are valid :)

Doing this in a fresh project:

npm i  -D @commitlint/config-conventional@next @commitlint/cli@next

> [email protected] postinstall /Users/foo/test/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description

+ @commitlint/[email protected]
+ @commitlint/[email protected]
added 153 packages from 78 contributors and audited 153 packages in 31.06s

15 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

I assume the screenshot above is outdated by now. Might still be valid for the @latest version though. Didn't check.
I'm getting dot-prop warnings in our project because of lerna, but that's not related to commitlint. I got confused because commitlint is using lerna as well. And usually I'm not too focused when taking care of commitlint, which is a pity and leads to confusion. Sorry for that.

Anyways, please let me know if my feedback makes sense to you.

I believe the @next version (which is currently the v10 release) installs a newer package version (4.3.1) of conventional-changelog-conventionalcommits than the @latest version (i.e. the v9 release). That explains why in the @next version, the vulnerability is no longer reported. As far as I can tell, all that鈥檚 needed to fix this issue for v9 users would be a new patch version release updating conventional-changelog-conventionalcommits from 4.3.0 to 4.3.1.

Agreed. v10 will be released soon and not sure how necessary a v9 patch version is.
v10 is mainly stopping node 10 support.

v11.0.0 has been released as @latest, please give it a try.

Going through to try and tidy up some older open tickets today as I have time. This one seems resolved in the current release v11.0.0. On a fresh install this showed 0 vulnerable packages.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

chris-dura picture chris-dura  路  5Comments

MathiasKandelborg picture MathiasKandelborg  路  3Comments

EECOLOR picture EECOLOR  路  3Comments

QuentinRoy picture QuentinRoy  路  5Comments

texhnolyze picture texhnolyze  路  3Comments