Conventional-github-releaser version 2.0.1 is a minor update to version 2.0.0, aimed at streamlining the release process for GitHub projects using semantic versioning. Both versions share the core functionality of automating the creation of GitHub releases based on git metadata, making it easier for developers to publish updates with well-formatted changelogs derived from commit messages. The tool leverages conventional-changelog to parse commit messages and construct release notes, simplifying the process of communicating changes to users.
A key difference lies in the dependencies. Version 2.0.1 upgrades "meow" from ^3.3.0 to ^4.0.0, suggesting potential enhancements or bug fixes within the command-line interface. The newer version also includes a "fileCount" and "unpackedSize" properties in the "dist" section, which might be helpful for understanding the package size and structure, but it removes the "devDependencies" that are used for development and testing. Furthermore, the "releaseDate" is updated to reflect the newer publishing date. This update primarily affects developers already using version 2.0.0, offering them a refined dependency that potentially enhances the CLI experience with latest features and improvements. The core benefit for all users remains: automating release creation on GitHub, saving time and effort by generating release notes from conventional commit messages.
All the vulnerabilities related to the version 2.0.1 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Got allows a redirect to a UNIX socket
The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
semver-regex Regular Expression Denial of Service (ReDOS)
npm semver-regex is vulnerable to Inefficient Regular Expression Complexity
Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
