npm audit issue for @commitlint/config-conventional (dot-prop)

[jfaylon]

We have encountered an npm audit issue regarding @commitlint/config-conventional

It is understood that the version fix is already in master but is yet to be published. 44144ca

Expected Behavior

Has no/low npm audit issue.

Current Behavior

Version 9.1.2 is having the npm audit issue.

Affected packages

• cli
• core
• prompt
• config-angular

Possible Solution

Steps to Reproduce (for bugs)

1. First step
2. Second step

commitlint.config.js

```js ```

Context

Affecting our CI flow with npm audit checks. The advisory was published 29 July 2020.

Your Environment

Executable	Version
commitlint --version	VERSION
git --version	VERSION
node --version	10.16.0

[escapedcat]

We'll switch next to latest soon and create a new next from current master.
This duplicates/relates to #2032 (Edit: it does not)

[jfaylon]

Thank you :) looking forward to it :)

[escapedcat]

Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.

[kleinfreund]

@escapedcat

Sorry, my fault. Looks like this isn't fixed yet in lerna. We have to wait.

This might be a naïve question, but how is that related to lerna?

As far as I can tell, the faulty package in the dependency chain @commitlint/config-conventional > conventional-changelog-conventionalcommits > compare-func > dot-prop is @commitlint/config-conventional installing version 4.3.0 of conventional-changelog-conventionalcommits which doesn’t seem to have the updated version of the compare-func dependency.

I’m not exactly sure I read that right, though.

[escapedcat]

Hey @kleinfreund ,

first up, there's a high chance that I'm wrong, so all questions are valid :)

Doing this in a fresh project:

npm i  -D @commitlint/config-conventional@next @commitlint/cli@next

> core-js@3.6.5 postinstall /Users/foo/test/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN test@1.0.0 No description

+ @commitlint/cli@10.0.0
+ @commitlint/config-conventional@10.0.0
added 153 packages from 78 contributors and audited 153 packages in 31.06s

15 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

I assume the screenshot above is outdated by now. Might still be valid for the @latest version though. Didn't check.
I'm getting dot-prop warnings in our project because of lerna, but that's not related to commitlint. I got confused because commitlint is using lerna as well. And usually I'm not too focused when taking care of commitlint, which is a pity and leads to confusion. Sorry for that.

Anyways, please let me know if my feedback makes sense to you.

[kleinfreund]

I believe the @next version (which is currently the v10 release) installs a newer package version (4.3.1) of conventional-changelog-conventionalcommits than the @latest version (i.e. the v9 release). That explains why in the @next version, the vulnerability is no longer reported. As far as I can tell, all that’s needed to fix this issue for v9 users would be a new patch version release updating conventional-changelog-conventionalcommits from 4.3.0 to 4.3.1.

[escapedcat]

Agreed. v10 will be released soon and not sure how necessary a v9 patch version is.
v10 is mainly stopping node 10 support.

[escapedcat]

v11.0.0 has been released as @latest, please give it a try.

[iamscottcab]

Going through to try and tidy up some older open tickets today as I have time. This one seems resolved in the current release v11.0.0. On a fresh install this showed 0 vulnerable packages.