@commitlint/load uses a vulnerable version of cosmicconfig (which uses a vulnerable version of js-yml), see https://nodesecurity.io/advisories/788 for more details on the security issue.
js-yml 3.13.0 is patched, but cosmicconfig has yet to update its version.
yarn audit output:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.13.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ commitlint │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ commitlint > @commitlint/cli > @commitlint/load > │
│ │ cosmiconfig > js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/788 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Expected Behavior
Use a patched version of cosmicconfig when it's available, see this issue & pr
Current Behavior
Uses a vulnerable version of cosmiconfig.
Affected packages
Possible Solution
- Update
cosmiconfig
@commitlint/load uses a vulnerable version of
cosmicconfig(which uses a vulnerable version ofjs-yml), see https://nodesecurity.io/advisories/788 for more details on the security issue.js-yml3.13.0 is patched, butcosmicconfighas yet to update its version.yarn auditoutput:Expected Behavior
Use a patched version of
cosmicconfigwhen it's available, see this issue & prCurrent Behavior
Uses a vulnerable version of
cosmiconfig.Affected packages
Possible Solution
cosmiconfig