Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Yargs-parser security vulnerability for commitlint-cli
See original GitHub issueExpected Behavior
No security vulnerabilities.
Current Behavior
Running npm audit results in the following report
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > @commitlint/lint > @commitlint/parse >
conventional-commits-parser > meow > yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > @commitlint/read > git-raw-commits > meow
> yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > meow > yargs-parser
More info https://npmjs.com/advisories/1500
found 3 low severity vulnerabilities in 894217 scanned packages
3 vulnerabilities require manual review. See the full report for details.
Affected packages
- cli
- core
- prompt
- config-angular
Possible Solution
The latest version of yargs-parser does not have this vulnerability. Recommend upgrading. Additionally recommend using the Snyk bot as it will regularly catch these and make PRs to solve security issues.
Steps to Reproduce (for bugs)
npm initto make new project- Add the following lines to dependencies
"@commitlint/cli": "^8.3.5",
"@commitlint/config-conventional": "^8.3.4",
npm installand thennpm audit
Your Environment
| Executable | Version |
|---|---|
commitlint --version |
6.14.4 |
git --version |
git version 2.24.1.windows.2 |
node --version |
v12.16.2 |
Issue Analytics
- State:
- Created 3 years ago
- Reactions:26
- Comments:15 (1 by maintainers)
Top Results From Across the Web
yargs-parser@11.1.1 - Snyk Vulnerability Database
The library could be used to parse user input received from different sources: terminal emulators; system calls from other code bases; CLI RPC...
Read more >Compare Versions | @commitlint/cli | npm | Open Source Insights
yargs -parser 10.1.0. GHSA-p9pc-299p-vxgpyargs-parser Vulnerable to Prototype Pollution. Dependencies. Dependencies. @babel/code-frame 7.18.6.
Read more >@commitlint/cli | Yarn - Package Manager
Fast, reliable, and secure dependency management.
Read more >@commitlint/is-ignored - NPM Package Versions - Socket - Socket.dev
Start using Socket to analyze @commitlint/is-ignored and its 2 ... Supply Chain Security ... update dependency yargs to v17.5.1 (#3183) (8db72f0).
Read more >nestjs/nest-cli 8.2.1 on GitHub - NewReleases.io
New release nestjs/nest-cli version 8.2.1 Release 8.2.1 on GitHub. ... pull request #1511 from nestjs/renovate/npm-yargs-parser-vulnerability (674fbc4) ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Just made a PR, but tests are failing: https://github.com/conventional-changelog/commitlint/pull/1694 Feel free to help debugging.
9.1.0is available undernextat the moment. Will belatestsoon.For further discussions regarding this issue I suggest to join the
#commitlintroom here: https://devtoolscommunity.herokuapp.com/