Conventional Github Releaser, a tool designed to automate the creation of GitHub releases from git metadata, saw a minor version update from 1.1.8 to 1.1.9 on May 29, 2017. While both versions share the same core functionality and dependencies, this update introduces minor improvements and under-the-hood tweaks.
The dependency list for both versions remains identical, utilizing key packages such as conventional-changelog for generating changelogs, github for interacting with the GitHub API, and semver for semantic versioning. Development dependencies also remained unchanged, ensuring a consistent testing and linting environment using tools like chai, mocha, jscs, and jshint. This consistency implies that developers upgrading from 1.1.8 to 1.1.9 should experience a seamless transition.
The core value proposition for developers using this library centers around automating the release workflow. By leveraging Conventional Commits, the tool automatically generates release notes and publishes them to GitHub, saving time and reducing the risk of manual errors. Because the dependencies are pretty similar from one version to the other, upgrading should be pretty straightforward. Users will want to upgrade as the newer version has a fix for a small bug or an improvement that will go unoticed to most of the users.
All the vulnerabilities related to the version 1.1.9 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
semver-regex Regular Expression Denial of Service (ReDOS)
npm semver-regex is vulnerable to Inefficient Regular Expression Complexity
Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
