chore(deps): update dependency standard-version to v8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
standard-version	^4.4.0 -> ^8.0.0

GitHub Vulnerability Alerts

GHSA-7xcx-6wjh-7xp2

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @​erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

---

Release Notes

conventional-changelog/standard-version (standard-version)

v8.0.1

Compare Source

v8.0.0

Compare Source

⚠ BREAKING CHANGES

• composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.

Bug Fixes

• composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #​495 #​394
• deps: update dependency conventional-changelog to v3.1.18 (#​510) (e6aeb77)
• deps: update dependency yargs to v15.1.0 (#​518) (8f36f9e)
• deps: update dependency yargs to v15.3.1 (#​559) (d98cd46)

v7.1.0

Compare Source

Features

• Adds support for header (--header) configuration based on the spec. (#​364) (ba80a0c)
• custom 'bumpFiles' and 'packageFiles' support (#​372) (564d948)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.15 (#​479) (492e721)
• deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#​496) (bc606f8)
• deps: update dependency conventional-recommended-bump to v6.0.5 (#​480) (1e1e215)
• deps: update dependency yargs to v15 (#​484) (35b90c3)
• use require.resolve for the default preset (#​465) (d557372)
• deps: update dependency detect-newline to v3.1.0 (#​482) (04ab36a)
• deps: update dependency figures to v3.1.0 (#​468) (63300a9)
• deps: update dependency git-semver-tags to v3.0.1 (#​485) (9cc188c)
• deps: update dependency yargs to v14.2.1 (#​483) (dc1fa61)
• deps: update dependency yargs to v14.2.2 (#​488) (ecf26b6)

7.0.1 (2019-11-07)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.12 (#​463) (f04161a)
• deps: update dependency conventional-changelog-config-spec to v2.1.0 (#​442) (a2c5747)
• deps: update dependency conventional-recommended-bump to v6.0.2 (#​462) (84bb581)
• deps: update dependency stringify-package to v1.0.1 (#​459) (e06a835)
• deps: update dependency yargs to v14 (#​440) (fe37e73)
• deps: update dependency yargs to v14.2.0 (#​461) (fb21851)

v7.0.1

Compare Source

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• we were accepting .version.json as a config file, rather than .versionrc.json

Bug Fixes

• bump: transmit tag prefix argument to conventionalRecommendedBump (#​393) (8205222)
• cli: display only one, correct default for --preset flag (#​377) (d17fc81)
• commit: don't try to process and add changelog if skipped (#​318) (3e4fdec)
• deps: update dependency conventional-changelog-config-spec to v2 (#​352) (f586844)
• deps: update dependency conventional-recommended-bump to v6 (#​417) (4c5cad1)
• deps: update dependency find-up to v4 (#​355) (73b35f8)
• deps: update dependency find-up to v4.1.0 (#​383) (b621a4a)
• deps: update dependency git-semver-tags to v3 (#​418) (1ce3f4a)
• deps: update dependency semver to v6.3.0 (#​366) (cd866c7)
• deps: update dependency yargs to v13.3.0 (#​401) (3d0e8c7)
• adds support for releaseCommitMessageFormat (#​351) (a7133cc)
• stop suggesting npm publish if package.json was not updated (#​319) (a5ac845)
• Updates package.json to actual supported (tested) NodeJS versions. (#​379) (15eec8a)
• deps: update dependency yargs to v13.2.4 (#​356) (00b2ce6)
• update config file name in command based on README.md (#​357) (ce44dd2)

6.0.1 (2019-05-05)

Bug Fixes

• don't pass args to git rev-parse (1ac72f7)

v6.0.1

Compare Source

v6.0.0

Compare Source

Bug Fixes

• always pass version to changelog context (#​327) (00e3381)
• deps: update dependency detect-indent to v6 (#​341) (234d9dd)
• deps: update dependency detect-newline to v3 (#​342) (02a6093)
• deps: update dependency figures to v3 (#​343) (7208ded)
• deps: update dependency semver to v6 (#​344) (c40487a)
• deps: update dependency yargs to v13 (#​345) (b2c8e59)
• prevent duplicate headers from being added (#​305) (#​307) (db2c6e5)

Build System

• add renovate.json (#​273) (bf41474)
• drop Node 6 from testing matrix (#​346) (6718428)

Features

• adds configurable conventionalcommits preset (#​323) (4fcd4a7)
• allow a user to provide a custom changelog header (#​335) (1c51064)
• bump minor rather than major, if release is < 1.0.0 (#​347) (5d972cf)
• suggest branch name other than master (#​331) (304b49a)
• update commit msg for when using commitAll (#​320) (74a040a)

Tests

• disable gpg signing in temporary test repositories. (#​311) (bd0fcdf)
• use const based on new eslint rules (#​329) (b6d3d13)

BREAKING CHANGES

• we now bump the minor rather than major if version < 1.0.0; --release-as can be used to bump to 1.0.0.
• tests are no longer run for Node 6
• we now use the conventionalcommits preset by default, which directly tracks conventionalcommits.org.

v5.0.2

Compare Source

v5.0.1

Compare Source

Bug Fixes

• make pattern for finding CHANGELOG sections work for non anchors (#​292) (b684c78)

v5.0.0

Compare Source

Bug Fixes

• bin now enforces Node.js > 4 (#​274) (e1b5780)
• no --tag prerelease for private module (#​296) (27e2ab4), closes #​294
• show correct pre-release tag in help output (#​259) (d90154a)

chore

• update testing matrix (1d46627)

Features

• adds support for bumping for composer versions (#​262) (fee872f)
• cli application accept path/preset option (#​279) (69c62cf)
• fallback to tags if no meta-information file found (#​275) (844cde6)
• preserve formatting when writing to package.json (#​282) (96216da)

BREAKING CHANGES

• if no package.json, bower.json, etc., is found, we now fallback to git tags
• removed Node 4/5 from testing matrix

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a9c1c61

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

👍 No new dependency issues detected in pull request

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

Pull request alert summary

Issue	Status
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

⬆️ Updated Package	Version Diff	Added Capability Access	+/- Transitive Count	Publisher
standard-version@8.0.2	4.4.0...8.0.2	None	+46/-17	oss-bot

[guardrails]

⚠️ We detected 54 security issues in this pull request:

Vulnerable Libraries (54)

Severity	Details
High	body-parser@1.19.0 (t) upgrade to: 1.19.0
Medium	browserslist@4.16.3 (t) upgrade to: >4.16.4
High	standard-version@8.0.2 upgrade to: >=9.5.0
Medium	yargs@9.0.1 (t) upgrade to: >12.0.5
High	pkg:npm/trim-newlines@3.0.0@3.0.0 (t) upgrade to: 3.0.1,4.0.1
High	pkg:npm/tmpl@1.0.4@1.0.4 (t) upgrade to: 1.0.5
Medium	pkg:npm/nwsapi@2.2.0@2.2.0 (t) - no patch available
Medium	pkg:npm/core-js@2.5.3@2.5.3 (t) - no patch available
High	pkg:npm/git-username@1.0.0@1.0.0 (t) - no patch available
Medium	pkg:npm/chownr@1.0.1@1.0.1 (t) - no patch available
High	pkg:npm/mem@1.1.0@1.1.0 (t) - no patch available
Medium	pkg:npm/got@6.7.1@6.7.1 (t) - no patch available
High	pkg:npm/minimatch@3.0.4@3.0.4 (t) upgrade to: 3.0.5
Medium	pkg:npm/trim-off-newlines@1.0.1@1.0.1 (t) upgrade to: 1.0.3
Medium	pkg:npm/hoek@4.2.1@4.2.1 (t) - no patch available
High	pkg:npm/json5@0.5.1@0.5.1 (t) - no patch available
High	pkg:npm/ansi-regex@3.0.0@3.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
High	pkg:npm/tar@4.4.1@4.4.1 (t) upgrade to: 4.4.2,2.2.2
Critical	pkg:npm/execa@1.0.0@1.0.0 (t) - no patch available
Medium	pkg:npm/got@8.3.2@8.3.2 (t) - no patch available
Critical	pkg:npm/unset-value@1.0.0@1.0.0 (t) - no patch available
N/A	pkg:npm/debug@2.6.9@2.6.9 (t) upgrade to: 3.1.0
High	pkg:npm/glob-parent@5.1.1@5.1.1 (t) upgrade to: 5.1.2
Critical	pkg:npm/socket.io-parser@4.0.4@4.0.4 (t) upgrade to: 4.0.5,4.2.1
High	pkg:npm/y18n@3.2.1@3.2.1 (t) upgrade to: 3.2.2,4.0.1,5.0.5
High	pkg:npm/fb-watchman@2.0.1@2.0.1 (t) - no patch available
Medium	pkg:npm/istanbul-reports@3.0.2@3.0.2 (t) - no patch available
High	pkg:npm/ini@1.3.5@1.3.5 (t) upgrade to: 1.3.6
Critical	pkg:npm/set-value@2.0.1@2.0.1 (t) - no patch available
High	pkg:npm/http-cache-semantics@3.8.1@3.8.1 (t) - no patch available
Critical	pkg:npm/socket.io@4.5.1@4.5.1 (t) - no patch available
Medium	pkg:npm/uglify-js@3.12.5@3.12.5 (t) - no patch available
Critical	pkg:npm/execa@0.9.0@0.9.0 (t) - no patch available
High	pkg:npm/y18n@5.0.5@5.0.5 (t) - no patch available
Medium	pkg:npm/node-notifier@8.0.1@8.0.1 (t) - no patch available
High	pkg:npm/semver-regex@2.0.0@2.0.0 (t) upgrade to: 3.1.3,4.0.1
Medium	pkg:npm/https-proxy-agent@2.2.4@2.2.4 (t) - no patch available
Critical	pkg:npm/execa@0.7.0@0.7.0 (t) - no patch available
High	pkg:npm/trim-newlines@1.0.0@1.0.0 (t) upgrade to: 3.0.1,4.0.1
High	pkg:npm/yargs-parser@7.0.0@7.0.0 (t) - no patch available
High	pkg:npm/prompts@2.4.0@2.4.0 (t) - no patch available
N/A	pkg:npm/decode-uri-component@0.2.0@0.2.0 (t) - no patch available
High	pkg:npm/hosted-git-info@2.8.8@2.8.8 (t) - no patch available
High	pkg:npm/lodash.template@4.4.0@4.4.0 (t) - no patch available
High	pkg:npm/minimist@0.0.8@0.0.8 (t) - no patch available
Medium	pkg:npm/ua-parser-js@0.7.31@0.7.31 (t) - no patch available
High	pkg:npm/npm-bundled@1.0.3@1.0.3 (t) - no patch available
Medium	pkg:npm/engine.io@6.2.0@6.2.0 (t) - no patch available
High	pkg:npm/npm-packlist@1.1.10@1.1.10 (t) - no patch available
High	pkg:npm/minimist@1.2.0@1.2.0 (t) - no patch available
High	pkg:npm/hosted-git-info@2.5.0@2.5.0 (t) - no patch available
N/A	pkg:npm/browserslist@4.15.0@4.15.0 (t) - no patch available
Medium	pkg:npm/terser@5.5.1@5.5.1 (t) - no patch available
Low	pkg:npm/node-fetch@2.6.7@2.6.7 (t) - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.