We have encountered an npm audit issue regarding @commitlint/config-conventional

It is understood that the version fix is already in master but is yet to be published. https://github.com/conventional-changelog/commitlint/commit/44144ca7ac2b8e748e717f2dc6be2c5b1ea1f124
Has no/low npm audit issue.
Version 9.1.2 is having the npm audit issue.
commitlint.config.js
Affecting our CI flow with npm audit checks. The advisory was published 29 July 2020.
| Executable | Version |
| ---------------------: | :------ |
| commitlint --version | VERSION |
| git --version | VERSION |
| node --version | 10.16.0 |
We'll switch next to latest soon and create a new next from current master.
This duplicates/relates to #2032 (Edit: it does not)
Thank you :) looking forward to it :)
Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.
@escapedcat
Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.
This might be a na茂ve question, but how is that related to lerna?
As far as I can tell, the faulty package in the dependency chain @commitlint/config-conventional > conventional-changelog-conventionalcommits > compare-func > dot-prop is @commitlint/config-conventional installing version 4.3.0 of conventional-changelog-conventionalcommits which doesn鈥檛 seem to have the updated version of the compare-func dependency.
I鈥檓 not exactly sure I read that right, though.
Hey @kleinfreund ,
first up, there's a high chance that I'm wrong, so all questions are valid :)
Doing this in a fresh project:
npm i -D @commitlint/config-conventional@next @commitlint/cli@next
> [email protected] postinstall /Users/foo/test/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description
+ @commitlint/[email protected]
+ @commitlint/[email protected]
added 153 packages from 78 contributors and audited 153 packages in 31.06s
15 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I assume the screenshot above is outdated by now. Might still be valid for the @latest version though. Didn't check.
I'm getting dot-prop warnings in our project because of lerna, but that's not related to commitlint. I got confused because commitlint is using lerna as well. And usually I'm not too focused when taking care of commitlint, which is a pity and leads to confusion. Sorry for that.
Anyways, please let me know if my feedback makes sense to you.
I believe the @next version (which is currently the v10 release) installs a newer package version (4.3.1) of conventional-changelog-conventionalcommits than the @latest version (i.e. the v9 release). That explains why in the @next version, the vulnerability is no longer reported. As far as I can tell, all that鈥檚 needed to fix this issue for v9 users would be a new patch version release updating conventional-changelog-conventionalcommits from 4.3.0 to 4.3.1.
Agreed. v10 will be released soon and not sure how necessary a v9 patch version is.
v10 is mainly stopping node 10 support.
v11.0.0 has been released as @latest, please give it a try.
Going through to try and tidy up some older open tickets today as I have time. This one seems resolved in the current release v11.0.0. On a fresh install this showed 0 vulnerable packages.
Most helpful comment
We'll switch
nexttolatestsoon and create a newnextfrom current master.This duplicates/relates to #2032 (Edit: it does not)