@commitlint/cli version 16.3.0 introduces key updates for developers focused on commit message linting. Building upon the foundation of version 16.2.4, the newer release includes notable improvements in dependency management. Specifically, @commitlint/load jumps from version 16.2.4 to 16.3.0 to align with the new cli version. This likely incorporates enhancements or bug fixes within the loading mechanism for commitlint configurations. There isn't a trace of any differences in the devDependencies, but this bump impacts the core functionality of commitlint.
Both versions share similar base dependencies like yargs for command-line argument parsing, lodash for utility functions, and resolve-from/resolve-global for module resolution. The consistent use of @commitlint/read, @commitlint/types, and @commitlint/format across both versions indicates a stable API for reading commit messages, defining types, and formatting linting results.
For developers, upgrading to 16.3.0 is advisable to leverage potential improvements in configuration loading, possibly addressing edge cases or compatibility issues present in 16.2.4. Given the unchanged devDependencies, the upgrade is likely straightforward, assuming projects already adhere to the peer dependency requirements of the core @commitlint packages. The change in unpackedSize from 55132 to 55298 hints at these changes being relatively small but significant for internal workings. Keeping up to date ensures access to the latest fixes and optimized performance within the commitlint ecosystem.
All the vulnerabilities related to the version 16.3.0 of the package
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
