@commitlint/cli version 9.1.0 introduces several updates compared to the previous stable version 9.0.1. The most notable change for developers lies in the updated dependencies. The key dependency, chalk, has been upgraded from version 3.0.0 to version 4.1.0. Chalk is a popular terminal styling library, so this update likely brings enhanced color and formatting options for commitlint's output in the console, improving readability and user experience. Several core @commitlint packages, including @commitlint/lint, @commitlint/load, @commitlint/read, and @commitlint/format, have also been bumped from version 9.0.1 to 9.1.0. The internal dependency regenerator-runtime experienced a minor version jump from 0.13.3 to 0.13.5. While seemingly small this has a big impact on code that can output async/await syntax. The cross-env dev dependency was bumped from 7.0.0 to 7.0.2. These updates suggest improvements and bug fixes within the commitlint ecosystem itself. Developers integrating @commitlint/cli should evaluate the updated chalk version if they rely on specific styling features. Overall, version 9.1.0 promotes stability and an upgraded user experience through dependency updates and internal package enhancements, while maintaining core functionality for linting commit messages.
All the vulnerabilities related to the version 9.1.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
