-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM Audit Vulnerability #715
Comments
There's a PR up for this, it just needs to be merged by someone: #713 |
NOTE: PR #713 will not resolve this vulnerability. The minimum version for minimist is 1.2.3. The PR only bumps the version to 1.2.2. |
My bad, misread the version number! I wonder why Dependabot doesn't update it to the latest version? |
AFAICT, there are two bot-contributed PRs open to resolve this issue:
Both pull requests are failing on CI, I think the problem is Windows specific. I am not able to view logs from Azure Pipelines, the AppVeyor log is complaining about incorrect CI setup. https://ci.appveyor.com/project/jimthedev/cz-cli/builds/31474679
|
Ping @jimthedev, what's the status of this project? I see the last commit was merged in August 2019. I am an open-source maintainer myself, so I totally understand if you don't have time or energy to maintain this project going forward. Do you have any recommendations for us, commitizen users, how to deal with the current security warning and/or help this project to become actively maintained again? |
Note that I'm coming here because I have this very security warning with |
@bajtos https://dev.azure.com/commitizen/cbf3c633-a6bc-43ce-ae50-fe434d244768/_apis/build/builds/851/logs/50 is the current error I am working through. For some reason windows fails with a ShellJS internal error, something about permissions on package.json. Not sure why it is failing on windows.
|
The pakage
|
Apply below changes fixes ShellJS internal error and some errors. diff --git a/src/commitizen/adapter.js b/src/commitizen/adapter.js
index 6878946..6765618 100644
--- a/src/commitizen/adapter.js
+++ b/src/commitizen/adapter.js
@@ -78,7 +78,7 @@ function generateNpmInstallAdapterCommand (stringMappings, adapterNpmName) {
function generateYarnAddAdapterCommand (stringMappings, adapterNpmName) {
// Start with an initial yarn add command
- let installAdapterCommand = `yarn add ${adapterNpmName}`;
+ let installAdapterCommand = `npx yarn add ${adapterNpmName}`;
// Append the necessary arguments to it based on user preferences
for (let value of stringMappings.values()) { diff --git a/src/commitizen/init.js b/src/commitizen/init.js
index 624d5c4..396f0ae 100644
--- a/src/commitizen/init.js
+++ b/src/commitizen/init.js
@@ -96,6 +96,8 @@ function init (sh, repoPath, adapterNpmName, {
} catch (e) {
console.error(e);
}
+
+ sh.cd(__dirname);
}
/** sh.cd() is changing process.cwd(). due to this behavior, process grab directory access until test exit even if we want remove it. |
A PR to remove ShellJS would be very welcome 😬 Since the CI is current red for There are a number of dev-dependencies that would still need to be bumped though, which probably includes dropping support for older versions of Node.js... |
Fixed in commitizen@4.0.5, sorry for the delay everyone! |
@LinusU thanks update packages! Tests failed on Windows is not caused by ShellJS. Could you approve above fix( |
@hdmr14 I have a branch that I made last night which I think solves it by not using I'll push it later today, and then maybe you can review it for me? |
@LinusU what a nice work! off course, I can 😍 |
Posted a PR here #729 , but the test is still failing on Windows, although in a slightly different way... |
Moderate Vulnerabilty: Prototype Pollution
Package: minimist
Patched in: >=1.2.3
See https://npmjs.com/advisories/1179
The text was updated successfully, but these errors were encountered: