fix for CVE-2021-23425

[Trott]

@stevemao I know it's been over 6 years since anything happened with this repository/package, but it would be great if you could merge this and publish a new version.

[cchampou]

Tested locally and works fine 💯

[aixellent]

@stevemao can you merge that please? :)

[Trott]

For people arriving here looking for a solution in the absence of a new release: If you remove node_modules and package-lock.json and then run npm install, you might fix the Snyk/GitHub interface warning.

Explanation: For a lot of people, this is coming from conventional-commits-parser 3.2.1 or older. (This would not typically be a direct dependency. It would be a dependency of another package, such as semantic-release.) conventional-commits-parser 3.2.2 removed trim-off-newlines as a dependency, thus fixing this issue for that package. Ref: conventional-changelog/conventional-changelog#841

If you depend on trim-off-newlines from something else, then this solution may not work. But I suspect this is where most people's issues are coming from.

[hadasbloom]

@stevemao I tried contacting you via email regarding this issue a couple of times (maybe went to your spam). I believe this is an incomplete fix for this CVE, if you could take a look at my email that would be great. Thanks!

Hadas from the Snyk Security Team

[Trott]

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

[Trott]

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

Actually, I think I found the problem that you likely identified. I'll test a bit more and if I'm Not Wrong About That, I'll get a PR in to fix it soon.

[Trott]

@hadasbloom Please take a look at #4