@commitlint/cli versions 6.0.0 and 5.2.8 offer developers tools to enforce commit message conventions, promoting project consistency and clarity. Both versions share core dependencies like meow for CLI argument parsing, chalk for styled console output, and get-stdin for reading from standard input. They rely on lodash utilities (lodash.pick, lodash.merge) for object manipulation and include babel-polyfill for broader JavaScript environment compatibility. A key difference lies in the @commitlint/core dependency, updated from version 5.2.8 to ^6.0.0, indicating potential breaking changes or significant feature additions in the core linting logic.
For developers, upgrading to 6.0.0 introduces newer linting capabilities. Examination of @commitlint/core changes is crucial before upgrading. The dependency @commitlint/test gets also a version bump, becoming ^6.0.0 from ^5.2.7. Developers benefit from the improved testing utilities in the new version, which can streamline the creation of robust commitlint configurations and ensure their continued effectiveness when upgrading @commitlint's test suite. Both versions are equipped with various development dependencies for testing, linting, and building, including xo, ava, execa, and Babel-related tools, ensuring a reliable development environment for contributing to the project itself or extending its functionality. The core functionality remains the same: linting commit messages, offering a way to make the commit messages consistent with the expected format.
All the vulnerabilities related to the version 6.0.0 of the package
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Prototype Pollution in lodash.merge
Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.1 or later.
Prototype Pollution in lodash.merge
Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.2 or later.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Prototype Pollution in lodash.mergewith
Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.2 or later.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
