Conventional-github-releaser is a Node.js tool designed to automate the creation of GitHub releases directly from your Git metadata, streamlining the release management workflow for developers. Version 3.1.3 builds upon the foundations laid by version 3.1.2, offering subtle improvements relevant to the developer experience. Both versions share the same core dependencies, including conventional-changelog for generating changelogs, dateformat for timestamping, gh-got for GitHub API interactions, git-semver-tags for semantic version parsing from Git tags, and meow for CLI argument parsing.
The crucial difference lies in the releaseDate, marking the updates. Version 3.1.3 was released on June 3rd, 2019, while version 3.1.2 came out on June 8th, 2018. While the dependency list remains the same, there might be internal bug fixes, performance tweaks, or dependency updates within those shared packages that contribute to a more polished experience in 3.1.3. Also, the unpackedSize had a small increase. This may indicate minor code adjustments or optimizations.
For developers using this library, the unchanged dependency list means a smooth update process without major compatibility concerns. However, upgrading ensures they benefit from any underlying improvements in error handling, stability, or compatibility within the shared dependencies, keeping the tool up-to-date with best practices and potentially reducing friction in their release process. They can expect a reliable utility for automating GitHub releases, driven by conventional commit messages, ensuring clear communication about changes with each release.
All the vulnerabilities related to the version 3.1.3 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Got allows a redirect to a UNIX socket
The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
http-cache-semantics vulnerable to Regular Expression Denial of Service
http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
semver-regex Regular Expression Denial of Service (ReDOS)
npm semver-regex is vulnerable to Inefficient Regular Expression Complexity
Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
