Skip to content

Yargs-parser security vulnerability for commitlint-cli #1691

Closed
Closed
Yargs-parser security vulnerability for commitlint-cli#1691
Labels
priority:high
@b-zurg

Description

@b-zurg
b-zurg
opened on May 2, 2020

Expected Behavior

No security vulnerabilities.

Current Behavior

Running npm audit results in the following report

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/lint > @commitlint/parse >      
                  conventional-commits-parser > meow > yargs-parser             

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/read > git-raw-commits > meow   
                  > yargs-parser                                                

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

  Dependency of   @commitlint/cli [dev]

  Path            @commitlint/cli > meow > yargs-parser

  More info       https://npmjs.com/advisories/1500

found 3 low severity vulnerabilities in 894217 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Affected packages

  • cli
  • core
  • prompt
  • config-angular

Possible Solution

The latest version of yargs-parser does not have this vulnerability. Recommend upgrading. Additionally recommend using the Snyk bot as it will regularly catch these and make PRs to solve security issues.

Steps to Reproduce (for bugs)

  1. npm init to make new project
  2. Add the following lines to dependencies
    "@commitlint/cli": "^8.3.5",
    "@commitlint/config-conventional": "^8.3.4",
  1. npm install and then npm audit

Your Environment

Executable Version
commitlint --version 6.14.4
git --version git version 2.24.1.windows.2
node --version v12.16.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:high

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions