@commitlint/parse using outdated version of conventional-changelog-angular

[MikeActually]

dot-prop dependency security issue was addressed as part of PR at conventional-changelog/conventional-changelog#647

Affected packages

• cli
• core
• prompt
• config-angular

Possible Solution

update package.json

Context

Allows for prototype pollution: GHSA-ff7x-qrg7-qggm

[escapedcat]

It's already merged. Next @next release will include this: #2056

[escapedcat]

Please give this a try:
yarn add -D @commitlint/config-conventional@next @commitlint/cli@next
v10.0.0 should fix this.

[jimmyandrade]

@escapedcat thank you. I'm updating right now.

[glumia]

The issue persists, @commitlint/parse is still declaring conventional-changelog-angular "^5.0.0" in its package.json:

commitlint/@commitlint/parse/package.json

Line 41 in cb1028e

"conventional-changelog-angular": "^5.0.0",

[escapedcat]

@glumia because of the ^ in ^5.0.0 it should install 5.0.11 on npm install. Maybe try a fresh install or check what your lock file says?

[glumia]

Aaa you are right sorry! There must be some problem with yarn because I solved the issue just removing by hand a line in the lock file* 😅

Thanks!

*I was somehow ending up with two lines for conventional-changelog-angular@^5.x.x in the yarn.lock file, one was causing the install of version 5.0.11 and the other one of version 5.0.10 (that brought the vulnerability issue).

[escapedcat]

v11.0.0 has been released as @latest