Grunt-conventional-changelog, a Grunt plugin for generating changelogs using the conventional-changelog format, saw a significant update from version 5.0.0 to 6.0.0. A key difference lies in the updated version of its core dependency, conventional-changelog, which jumps from version 0.5.0 to 1.0.1. This update signifies potential improvements in changelog generation, including enhanced formatting options, better handling of complex commit messages, and potentially new features introduced within the conventional-changelog library itself.
Developers upgrading to version 6.0.0 should be aware of potential breaking changes or alterations in the default changelog output due to the major version bump in conventional-changelog. Reviewing the conventional-changelog release notes for versions 0.6.0 through 1.0.1 is highly recommended to understand the full impact of this dependency update.
Beyond the core dependency, the development dependencies also show some upgrades. Notably, grunt-bump was updated from version 0.6.0 to 0.7.0 suggesting improvements in version bumping tasks. Also, grunt-contrib-jshint was updated from 0.11.1 to 0.12.0 and grunt-conventional-github-releaser was updated from 0.4.0 to 0.5.0. These improvements in dev dependencies may lead to slightly better development workflow and potentially new way on releasing into github.
The updates across various dependencies and the core library itself emphasize a focus on improving the functionality, stability, and overall experience when using Grunt-conventional-changelog for automated changelog generation.
All the vulnerabilities related to the version 6.0.0 of the package
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
