conventional-changelog/commitlint

Two high security vulnerabilities in transitive dependencies of @commitlint/cli

Open

#3289 opened on Aug 4, 2022

View on GitHub
 (3 comments) (1 reaction) (0 assignees)TypeScript (15,497 stars) (896 forks)batch import
dependencieshelp wanted

Description

cc @javoire

My organization maintains an internal package that was recently discovered to have a couple of high security vulnerabilities in transitive dependencies (namely, lodash.template and trim-newlines). Our package depends directly on @commitlint/cli, and in both cases the issues were downstream from @commitlint/cli. Upon investigating, I noticed that @commitlint/cli transitively depends on a package called git-raw-commits, which is apparently archived and read-only. Both offending packages/versions were transitive dependencies of this archived project. Git-raw-commits appears to also be owned by the conventional-changelog org.

Since these vulnerabilities stem downstream from git-raw-commits, and especially given that that package that is no longer maintained, I wanted to see if it would be possible to remove dependency on git-raw-commits from @commitlint/read (and therefore from @commitlint/cli). This would clear up both of these vulnerabilities, and allow us to continue using @commitlint/cli, which we would love to do!

The alternatives are slim, because in the case of the trim-newlines vulnerability, the version in which the vulnerability was resolved is totally out of range from what is being used downstream of git-raw-commits. And in the case of the lodash.template vulnerability, there is no patch/upgrade to resolve the vulnerability.

Expected Behavior

Running a Snyk vulnerability scan on a project that depends on @commitlint/cli does not detect downstream vulnerabilities

Current Behavior

Running a Snyk vulnerability scan on a project that depends on @commitlint/cli detects downstream vulnerabilities from trim-newlines and lodash.templates

Affected packages

  • cli
  • core
  • prompt
  • config-angular

Possible Solution

  • Remove dependency on git-raw-commits, which is archived/read-only and transitively depends on the vulnerable version of these two packages

Contributor guide

Tech stack
typescriptnodejs
Domain
securitytooling
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
npmtransitive dependenciescommitlint codebase
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate the usage of git raw commits in @commitlint/read (likely in packages/read/src). Determine if its functionality can be replaced by another library or implemented inline. Since git raw commits is archived, consider forking or using a maintained alternative like 'conventional commits parser'. Check the Snyk vulnerability reports for lodash.template and trim newlines to confirm they are no longer introduced. After replacement, run the test suite and audit dependencies to ensure vulnerabilities are resolved.