@commitlint/cli versions 8.3.6 and 8.3.5 represent incremental updates to a tool designed for linting commit messages, ensuring they adhere to a predefined style and quality. Primarily, version 8.3.6 upgrades several internal dependencies. Developers should note the updated versions of @commitlint/lint, @commitlint/load, @commitlint/read, and @commitlint/format from 8.3.5 and 8.3.4 in 8.3.5 to 8.3.6 across the board in the newer version. This suggests that the core linting, loading configurations, reading commit message, and formatting functionalities have received improvements and bug fixes. The @commitlint/utils dev dependency has also been updated from ^8.3.4 to ^8.3.6. The update also includes a bump in the lodash dependency from 4.17.15 to 4.17.21. The release date difference indicates significant development activity happened between the releases and using the newer version will bring all the latest improvements of the tool. The newer version also has more files and a slightly bigger size which could be related to the dependency upgrades. The updates encourage developers to upgrade for enhanced stability, performance, and access to refined features related to commit message analysis and formatting.
All the vulnerabilities related to the version 8.3.6 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
