@commitlint/cli version 9.0.0 represents a notable shift from version 8.3.6, primarily focusing on modernizing the development environment and updating core dependencies. Developers will find key differences in the build tools and core libraries utilized. Version 9.0.0 transitions to using @babel/cli and @babel/core for compilation, replacing the older babel-cli and babel-polyfill found in 8.3.6. This change signifies a move towards more contemporary JavaScript tooling and potentially improved build performance.
Furthermore, the updated version adopts more recent versions of crucial dependencies such as chalk, upgrading from 2.4.2 to 3.0.0, and incorporates core-js for enhanced JavaScript feature support. A notable addition is regenerator-runtime, which improves compatibility with asynchronous JavaScript code. Conversely, older development dependencies like ava, tmp, mkdirp, sander, pkg-dir, resolve-bin, concurrently, babel-register, and string-to-stream have been removed, suggesting a streamlined development workflow.
The @commitlint/test and @commitlint/utils dependencies are also upgraded to version 9.0.0, aligning with the core package version. Developers who are upgrading should ensure configurations and tests are compatible with the updated versions of these dependencies. The increase in the unpackedSize from 56744 to 57502 indicates there may be slight increase in file size with the new version, it might not be significant.
All the vulnerabilities related to the version 9.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
