Description
cc @javoire
My organization maintains an internal package that was recently discovered to have a couple of high security vulnerabilities in transitive dependencies (namely, lodash.template and trim-newlines). Our package depends directly on @commitlint/cli, and in both cases the issues were downstream from @commitlint/cli. Upon investigating, I noticed that @commitlint/cli transitively depends on a package called git-raw-commits, which is apparently archived and read-only. Both offending packages/versions were transitive dependencies of this archived project. Git-raw-commits appears to also be owned by the conventional-changelog org.
Since these vulnerabilities stem downstream from git-raw-commits, and especially given that that package that is no longer maintained, I wanted to see if it would be possible to remove dependency on git-raw-commits from @commitlint/read (and therefore from @commitlint/cli). This would clear up both of these vulnerabilities, and allow us to continue using @commitlint/cli, which we would love to do!
The alternatives are slim, because in the case of the trim-newlines vulnerability, the version in which the vulnerability was resolved is totally out of range from what is being used downstream of git-raw-commits. And in the case of the lodash.template vulnerability, there is no patch/upgrade to resolve the vulnerability.
Expected Behavior
Running a Snyk vulnerability scan on a project that depends on @commitlint/cli does not detect downstream vulnerabilities
Current Behavior
Running a Snyk vulnerability scan on a project that depends on @commitlint/cli detects downstream vulnerabilities from trim-newlines and lodash.templates
Affected packages
- cli
- core
- prompt
- config-angular
Possible Solution
- Remove dependency on git-raw-commits, which is archived/read-only and transitively depends on the vulnerable version of these two packages