Address vulnerable dependency: Semver < 7.5.2

[invariants]

Please update all dependencies to semver to at least 7.5.2. to address CVE-2022-25883.

[escapedcat]

#904 is related to this

[DavidWesley]

If you have difficulties understanding my language, I recommend using a translator

PROBLEMAS DE DEPENDÊNCIAS

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install @commitlint/cli@8.2.0, which is a breaking change
node_modules/read-pkg/node_modules/semver
  normalize-package-data  <=2.5.0
  Depends on vulnerable versions of semver
  node_modules/read-pkg/node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/read-pkg-up
        meow  3.4.0 - 9.0.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/meow
          conventional-commits-parser  >=2.1.5
          Depends on vulnerable versions of meow
          node_modules/conventional-commits-parser
            @commitlint/parse  >=8.3.0
            Depends on vulnerable versions of conventional-commits-parser
            node_modules/@commitlint/parse
              @commitlint/lint  >=8.3.0
              Depends on vulnerable versions of @commitlint/parse
              node_modules/@commitlint/lint
          git-raw-commits  >=1.3.4
          Depends on vulnerable versions of meow
          node_modules/git-raw-commits
            @commitlint/read  >=8.3.0
            Depends on vulnerable versions of git-raw-commits
            node_modules/@commitlint/read
              @commitlint/cli  >=8.3.0
              Depends on vulnerable versions of @commitlint/lint
              Depends on vulnerable versions of @commitlint/read
              node_modules/@commitlint/cli

11 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

De todos as dependências listadas em meu Prompt, eu realizei uma consulta bastante manual para encontrar onde estava realmente o problema de versionamento.

No momento da publicação dessa mensagem, as versões dos pacotes listados abaixo são:

• semver cuja versão vigente é 7.5.3 estando acima da 7.5.2. Portanto, sua situação é OK;
• normalize-package-data cuja versão é 5.0.0, sendo acima da <=2.5.0, mas utiliza a versão semver@^7.3.5. O npm é capaz de resolver esse problema e atualizar a dependência para a versão atual. Portanto, a situação é OK;
• read-pkg está na versão 8.0.0, sendo acima de <=5.2.0 e a versão mais recente utiliza normalize-package-data@^5.0.0. Portanto, sua situação é OK;
• read-pkg-up está na versão 9.1.0 sendo acima de <=7.0.1 e utiliza read-pkg@^7.1.0 que, por sua vez, está acima de <=5.2.0, mas não é a mais recente. Por tanto, sua situação é PARCIAL;
• meow está na versão 12.0.1, sendo fora do intervalo 3.4.0 - 9.0.0, e utiliza normalize-package-data^5.0.0 + read-pkg-up^9.1.0. Portanto, está OK
• conventional-commits-parser está na versão 4.0.0, mas utiliza a dependência meow@^8.1.2. Portanto, sua situação é RUIM

CONCLUSÃO

Por favor, faça um commit atualizando, pelo menos, a dependência meow do pacote conventional-commits-parser para a versão mais recente possível.

[DavidWesley]

#987

[ghiscoding]

#904 is related to this

It's not just related to that PR, there's also a transitive dependency that is very old which is read-pkg, it should be updated to v5.2.0 which is the last version that is non-ESM

@release-it/conventional-changelog@7.0.0 requires semver@2 || 3 || 4 || 5 via a transitive dependency on normalize-package-data@2.5.0

The issue is read-pkg@3.0.0 requires normalize-package-data@2.3.2 which requires semver@2 || 3 || 4 || 5

you can see below where read-pkg is being used, and that dependency should be updated as it is very old

conventional-changelog/packages/conventional-changelog-core/package.json

Lines 38 to 39 in 73dd829

	"read-pkg": "^3.0.0",
	"read-pkg-up": "^3.0.0"

[ghiscoding]

you can see below where read-pkg is being used, and that dependency should be updated as it is very old

conventional-changelog/packages/conventional-changelog-core/package.json

Lines 38 to 39 in 73dd829

	"read-pkg": "^3.0.0",
	"read-pkg-up": "^3.0.0"

@dangreen are there any plans to update some of these super old dependencies in conventional-changelog? I see that #904 was merged but read-pkg is still a problem. It would be nice to have a fix instead of us having to patch semver to a newer version on our own (I do mine via yarn resolution, but it would be nice to not have to).

Related PRs

• fix(deps): update dependency read-pkg to v8 - autoclosed #1039
• fix(deps): update dependency read-pkg-up to v10 - autoclosed #1042

However, these PRs are failing (unit tests) because the PRs are trying to upgrade to recent version which are now ESM only, a working solution would be to upgrade read-pkg to v5.2.0 which is the last version before ESM only arrived. Upgrading read-pkg would most certainly help to close some CVE reported issues, it would also close this opened issue

[nbouvrette]

@dangreen I think the release is missing to fix the vulnerability?

conventional-changelog@4.0.0
└─┬ conventional-changelog-core@5.0.2
  └─┬ conventional-changelog-writer@6.0.1
    └── semver@7.5.1

[escapedcat]

conventional-changelog-writer@6.0.1 package.json says it using 7.5.2 already.
Wondering why you still get 7.5.1

[nbouvrette]

@escapedcat conventional-changelog-writer@6.0.1 was released on July 9th while the package.json was updated to use 7.5.2 on July 10th.

We need new releases for all packages to fix this vulnerability once and for all.

[nbouvrette]

@dangreen any way we could have a new release for conventional-changelog-writer, conventional-changelog-core and conventional-changelog to fix the vulnerability once and for all?