Yargs-parser security vulnerability for commitlint-cli #1691
Description
Expected Behavior
No security vulnerabilities.
Current Behavior
Running npm audit results in the following report
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > @commitlint/lint > @commitlint/parse >
conventional-commits-parser > meow > yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > @commitlint/read > git-raw-commits > meow
> yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @commitlint/cli [dev]
Path @commitlint/cli > meow > yargs-parser
More info https://npmjs.com/advisories/1500
found 3 low severity vulnerabilities in 894217 scanned packages
3 vulnerabilities require manual review. See the full report for details.
Affected packages
- cli
- core
- prompt
- config-angular
Possible Solution
The latest version of yargs-parser does not have this vulnerability. Recommend upgrading. Additionally recommend using the Snyk bot as it will regularly catch these and make PRs to solve security issues.
Steps to Reproduce (for bugs)
npm initto make new project- Add the following lines to dependencies
"@commitlint/cli": "^8.3.5",
"@commitlint/config-conventional": "^8.3.4",
npm installand thennpm audit
Your Environment
| Executable | Version |
|---|---|
commitlint --version |
6.14.4 |
git --version |
git version 2.24.1.windows.2 |
node --version |
v12.16.2 |