Please fix security issues. #914
Comments
|
Also, is there any strong reson why commitizen choose to lock minimist version? No other packages in my project is doing that. |
|
See #913 - looks like the auto-merge of the dependency update is waiting on the stabilityDays setting of RenovateBot. I tried to find the value, but I was unable to trace it beyond https://github.com/commitizen/commitizen-renovate-config/blob/master/default.json |
|
I am just curious why this dep's version is fixed. If we do not pin it with an exact version, this can be fixed by updating deps myself. |
|
any update about this one? |
|
I very much prefer non-pinned dependencies myself, but it was made this way before I started contributing. These days I'm not personally using this tool, and I believe that the publishing workflow doesn't work anymore (#897). Because of this I don't have much bandwidth to fix things here... If it sounds like a good way forward, I would be open to merging a pull request that changes the dependencies to be specified with |
|
Hi, any update on this? Looks like only publishing is needed now |
|
Hi, any update on this? I need to use it but still have security issues. So my company does not allow the use. |
|
Half a month bro 🤡, any schedule? Or shall I fork and publish a temp version first? |
|
Just noticed that the Severity is lifted to Critical. And I am sure that this will bother many people due to their company policity. |
|
@jimthedev Help needed here |
|
We worked around this using the "overrides": {
"commitizen": {
"inquirer": "8.2.0",
"minimist": "1.2.6"
}
}Not ideal, but might help some people move forward. I had to remove node modules and possibly package-lock.json as well before doing npm install to get the changes to take effect. Commitizen seems to be working fine with these changes, and npm audit is happy now too. |
|
If the above solution doesn't work for you, we used https://www.npmjs.com/package/npm-force-resolutions to resolve the vulnerability for the time being. |
|
If using Yarn modern, you can set this resolution in your project's package.json (equivalent of npm overrides): |
|
Any update on this? I don't see a workaround for this for people using NPM 7 :( |
|
The |
|
Anyone know of an alternative program for generating git commits following the cz-conventional-changelog format? |
|
@yvesnrb best I know of is https://commitizen-tools.github.io/commitizen/, which uses python. |
|
Almost a month now. Still no release date? |
|
Any roadmap to fix this 💩? It seems there is a moment this issue has been reported. # npm audit report
minimist <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/minimist
commitizen >=1.0.5
Depends on vulnerable versions of cz-conventional-changelog
Depends on vulnerable versions of minimist
node_modules/commitizen
cz-conventional-changelog >=3.0.2
Depends on vulnerable versions of commitizen
node_modules/commitizen/node_modules/cz-conventional-changelog
node_modules/cz-conventional-changelog
3 critical severity vulnerabilities |
|
Looks like this was fixed in #913 but maintainers need to make a new release |
|
@jimthedev please help with it. Many critical vulnerabilities here in package, need updated dependencies and release. |
|
also need this, pls thanks |
|
This project appears dead. Need to find alternatives |
|
can we get a release please maintainers? |
|
Please update minimist to 1.2.6, thank you! |
|
The fix has already been merged into I couldn't wait any longer for this due to the number of tickets I've had opened because of this so I've created a fork with an automated publishing lifecycle, which I'm now using in all of my projects. If anyone is looking for a solution that doesn't involve using overrides feel free to use it; it will continue to get security updates from this repository going forward since it'll be supporting enterprise projects. MigrateRun the following and commit the result in your project to complete the migration. (assuming you're using cz-conventional-changelog) npm npm uninstall commitizen cz-conventional-changelog
npx @ryansonshine/commitizen init @ryansonshine/cz-conventional-changelog --includeCommitizen --forceyarn yarn remove commitizen cz-conventional-changelog
yarn add @ryansonshine/commitizen
npx @ryansonshine/commitizen init @ryansonshine/cz-conventional-changelog --force --yarn |
I don’t think so, the 1st contributor was publishing release in the past years ➡️@jimthedev And he still has activity in the past week on GitHub. As the project creator and 1st contributor, I think he should be still in charged with this package, and I am not supposing he just “lost access” I would like to prefer to believe that he dropped this package maintenance and prefer to deprecate it (but without any announcement and still pin this package in his profile) This is open source, yet he should not be blamed, but I still think that his behavior does not fit the community environment and does have negative infect in the npm ecosystem. At least he fails other contributor who still working on this project. |
|
Whether they don't have access or are no longer maintaining the publish cycle still ends in the same result: we're going on 60 days since this issue was opened so I took action for myself and the projects I'm involved in. Mine will continue to get security updates for my projects, if anyone else can benefit from that then great; if not well that's fine too :) |
|
I am just expressing the following point:
I just feel deep disappointed metting this situation, specially finding out this is still the first pin repo on his profile.😑 |
|
Ah my mistake, I misread your initial comment. I agree with both of your statements. I've updated my comment accordingly. In an ideal world the ownership would be handed off to someone active, but considering we're coming up on 2 months for this issue I wouldn't get my hopes up. |
yarn migration doesn't seem to work on a monorepo, wasn't able to submit an issue in the forked repo so im adding it here. Migration for yarn workspaces/monorepo
// ...
"config": {
"commitizen": {
"path": "./node_modules/@ryansonshine/cz-conventional-changelog"
}
} |
|
Thanks for the feedback @Manokii ! I've went ahead an enabled issues on the repository as well as updated the installation instructions for yarn on my initial comment. |
## [4.0.11](v4.0.10...v4.0.11) (2022-05-22) ### Bug Fixes * **commitizen:** once again some updates for commitizen, added resolution for minimist ([d0aa816](d0aa816)), closes [/github.com/commitizen/cz-cli/issues/914#issuecomment-1094335756](https://github.com//github.com/commitizen/cz-cli/issues/914/issues/issuecomment-1094335756)
fix(commitizen): move from unmaintained commitizen repo to forked repo commitizen/cz-cli#914
Try run command |
|
I believe this is fixed in the new release, 4.2.5. |
and others
The text was updated successfully, but these errors were encountered: