Yargs-parser security vulnerability for commitlint-cli

[b-zurg]

Expected Behavior

No security vulnerabilities.

Current Behavior

Running npm audit results in the following report

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/lint > @commitlint/parse >      
                  conventional-commits-parser > meow > yargs-parser             

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   @commitlint/cli [dev]                                         

  Path            @commitlint/cli > @commitlint/read > git-raw-commits > meow   
                  > yargs-parser                                                

  More info       https://npmjs.com/advisories/1500                             


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

  Dependency of   @commitlint/cli [dev]

  Path            @commitlint/cli > meow > yargs-parser

  More info       https://npmjs.com/advisories/1500

found 3 low severity vulnerabilities in 894217 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Affected packages

• cli
• core
• prompt
• config-angular

Possible Solution

The latest version of yargs-parser does not have this vulnerability. Recommend upgrading. Additionally recommend using the Snyk bot as it will regularly catch these and make PRs to solve security issues.

Steps to Reproduce (for bugs)

1. npm init to make new project
2. Add the following lines to dependencies

    "@commitlint/cli": "^8.3.5",
    "@commitlint/config-conventional": "^8.3.4",

3. npm install and then npm audit

Your Environment

Executable	Version
commitlint --version	6.14.4
git --version	git version 2.24.1.windows.2
node --version	v12.16.2

[tvvignesh]

Yup. Having the same problem at my end.

[amelcharai]

Just made a PR, but tests are failing: #1694
Feel free to help debugging.

[jeffreycahyono]

Any update about this?

[escapedcat]

Sorry, not sure when we have time to look into this. Feel free to help debugging.
Maybe adding a resolution for yargs-parser like we did in other cases might work better than updating meow? Just a thought. Didn't check the details.

[yjm9425]

Updating the dependency version of the package-lock.json resolves.

1. package-lock.json - @@commitlint/cli - requires - meow version update to 7.0.1
2. rm node_modules
3. npm install
4. npm audit
   found 0 vulnerabilities
   solved

[escapedcat]

Great if that works for you.
For the renovate-bot MR several tests are failing that's why we haven't merged this so far.
Feel free to look into this.

[vinayakkulkarni]

This is still an issue!

[alexander-akait]

@escapedcat Can we focus on this issue, we use this package in webpack/webpack contrib orgs and we have problems with audit a long time + new release 9.1.0 is not under latest dist tag, what is also bad.

[escapedcat]

9.1.0 is available under next at the moment. Will be latest soon.

For further discussions regarding this issue I suggest to join the #commitlint room here: https://devtoolscommunity.herokuapp.com/

[escapedcat]

@byCedric I think if we focus on this one there's a chance to get rid of meow, use yargs-parser directly and update it to latest: #1939

[escapedcat]

Released under next for now, please give it a try, i.e.:

yarn add -D @commitlint/config-conventional@next @commitlint/cli@next

[sivanirupavat]

no file is loading properly if anyone solution to this problem then plz tell me.

[escapedcat]

@sivanirupavat the issue in your screenshot is not related to commitlint if I read this correct

[BookmDan]

Updating the dependency version of the package-lock.json resolves.

1. package-lock.json - @@commitlint/cli - requires - meow version update to 7.0.1
2. rm node_modules
3. npm install
4. npm audit
   found 0 vulnerabilities
   solved

@yjm9425
Can you elaborate on this? How do I update the package-lock.json?

[vinayakkulkarni]

Updating the dependency version of the package-lock.json resolves.

1. package-lock.json - @@commitlint/cli - requires - meow version update to 7.0.1
2. rm node_modules
3. npm install
4. npm audit
   found 0 vulnerabilities
   solved

@yjm9425 Can you elaborate on this? How do I update the package-lock.json?

rm -rf node_modules package-lock.json && npm i --prefer-offline

?