Grunt Conventional Changelog has a new stable release, version 6.1.0, following closely on the heels of version 6.0.1. The core functionality remains the same: generating changelogs automatically based on conventional commit messages. Developers relying on automated changelog generation for their projects will find this update relevant.
A key difference lies within the dependencies. Version 6.1.0 updates the conventional-changelog dependency to version ^1.1.0, while version 6.0.1 used conventional-changelog version ^1.0.1. This update to conventional-changelog, while seemingly minor, likely includes bug fixes, performance improvements, and possibly new features within the underlying changelog generation logic. Developers should consult the conventional-changelog release notes for a detailed list of changes introduced in this sub-dependency. All other dependencies remain unchanged between the two versions.
Both versions maintain the same development dependencies, including tools for linting, testing, code coverage, and task automation via Grunt. This consistent tooling ensures that developers can easily contribute to and maintain projects using this Grunt plugin. The license remains MIT, ensuring broad compatibility and usage rights and the release date for 6.1.0 is 2016-02-13, a couple of days after its predecessor. The grunt-conventional-changelog plugin efficiently automates the changelog creation process, saving valuable developer time and ensuring consistency in release documentation. If you're using Grunt for your project, this plugin offers a streamlined solution for managing your changelog.
All the vulnerabilities related to the version 6.1.0 of the package
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
dot-prop Prototype Pollution vulnerability
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
