Grunt-release, a utility for automating Node.js project releases via Grunt, saw a significant update from version 0.3.5 to 0.4.0. Both versions share the same core functionality: automating the tedious steps involved in releasing new versions of Node.js projects. They utilizes shelljs for executing shell commands and semver for semantic versioning. Key development dependencies like Grunt, grunt-contrib-clean, and grunt-contrib-nodeunit remain consistent, ensuring smooth integration with existing Grunt-based workflows and reliable testing. Furthermore, both versions maintain a peer dependency on Grunt 0.4.1.
The primary change in version 0.4.0 lies in the updated semver dependency, moving from version 1.1.4 to 2.0.10. This upgrade suggests improvements or bug fixes related to semantic versioning logic. For developers, this likely translates to more robust and standards-compliant version management during releases. While the migration should be seamless, developers should review the semver 2.0.10 changelog to understand the specific changes implemented and ensure full compatibility. In short, version 0.4.0 provides a more up-to-date and reliable release process with only one update.
All the vulnerabilities related to the version 0.4.0 of the package
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
