@commitlint/cli helps developers enforce commit message conventions, promoting a cleaner project history and enabling automated processes like release notes generation. Version 9.0.1 builds upon the solid foundation of 9.0.0, offering subtle but important refinements. This is a patch release, and primarily involves dependency updates aiming for enhanced stability and potentially addressing minor bugs present in the previous version.
A key difference lies in the updated dependencies, notably @babel/runtime which jumps to ^7.9.6 in version 9.0.1. This babel update likely brings performance improvements and bug fixes related to the transpilation process. The core functionalities related to linting, loading configurations, reading commit messages, and formatting reports (handled by @commitlint/lint, @commitlint/load, @commitlint/read, and @commitlint/format respectively) are also updated to the 9.0.1 version demonstrating an alignment within the commitlint ecosystem The @commitlint/test and @commitlint/utils devDependencies are also updated from 9.0.0 to 9.0.1.
The unpacked size also increased slightly, from 57502 to 57955 which is most likely due to the babel runtime update. Both versions maintain the same core dependencies like meow, chalk, and lodash, indicating familiar functionality for existing users. Developers upgrading to 9.0.1 should expect a seamless transition with potential benefits in terms of stability and performance due to updated underlying libraries. The release date difference suggests a quick follow-up to address issues discovered shortly after the initial 9.0.0 release.
All the vulnerabilities related to the version 9.0.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
