chore(deps): update dependency standard-version to v8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
standard-version	^6.0.1 → ^8.0.0

GitHub Vulnerability Alerts

GHSA-7xcx-6wjh-7xp2

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @​erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

---

Release Notes

conventional-changelog/standard-version (standard-version)

v8.0.1

Compare Source

⚠ BREAKING CHANGES

• NodeJS@​8 is no longer supported. (#​612)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.23 (#​652) (00dd3c0)
• deps: update dependency conventional-changelog-conventionalcommits to v4.4.0 (#​650) (9f201a6)
• deps: update dependency conventional-recommended-bump to v6.0.10 (#​653) (c360d6a)

Build System

• NodeJS@​8 is no longer supported. (#​612) (05edef2)

8.0.2 (2020-07-14)

Bug Fixes

• Commit message and tag name is no longer enclosed in quotes. (#​619) (ae032bf), closes #​621 #​620

8.0.1 (2020-07-12)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.21 (#​586) (fd456c9)
• deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#​587) (b3b5eed)
• deps: update dependency conventional-recommended-bump to v6.0.9 (#​588) (d4d2ac2)
• deps: update dependency git-semver-tags to v4 (#​589) (a0f0e81)
• Vulnerability Report GHSL-2020-11101 (9d978ac)

v8.0.0

Compare Source

⚠ BREAKING CHANGES

• NodeJS@​8 is no longer supported. (#​612)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.23 (#​652) (00dd3c0)
• deps: update dependency conventional-changelog-conventionalcommits to v4.4.0 (#​650) (9f201a6)
• deps: update dependency conventional-recommended-bump to v6.0.10 (#​653) (c360d6a)

Build System

• NodeJS@​8 is no longer supported. (#​612) (05edef2)

8.0.2 (2020-07-14)

Bug Fixes

• Commit message and tag name is no longer enclosed in quotes. (#​619) (ae032bf), closes #​621 #​620

8.0.1 (2020-07-12)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.21 (#​586) (fd456c9)
• deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#​587) (b3b5eed)
• deps: update dependency conventional-recommended-bump to v6.0.9 (#​588) (d4d2ac2)
• deps: update dependency git-semver-tags to v4 (#​589) (a0f0e81)
• Vulnerability Report GHSL-2020-11101 (9d978ac)

v7.1.0

Compare Source

Features

• Adds support for header (--header) configuration based on the spec. (#​364) (ba80a0c)
• custom 'bumpFiles' and 'packageFiles' support (#​372) (564d948)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.15 (#​479) (492e721)
• deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#​496) (bc606f8)
• deps: update dependency conventional-recommended-bump to v6.0.5 (#​480) (1e1e215)
• deps: update dependency yargs to v15 (#​484) (35b90c3)
• use require.resolve for the default preset (#​465) (d557372)
• deps: update dependency detect-newline to v3.1.0 (#​482) (04ab36a)
• deps: update dependency figures to v3.1.0 (#​468) (63300a9)
• deps: update dependency git-semver-tags to v3.0.1 (#​485) (9cc188c)
• deps: update dependency yargs to v14.2.1 (#​483) (dc1fa61)
• deps: update dependency yargs to v14.2.2 (#​488) (ecf26b6)

7.0.1 (2019-11-07)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.12 (#​463) (f04161a)
• deps: update dependency conventional-changelog-config-spec to v2.1.0 (#​442) (a2c5747)
• deps: update dependency conventional-recommended-bump to v6.0.2 (#​462) (84bb581)
• deps: update dependency stringify-package to v1.0.1 (#​459) (e06a835)
• deps: update dependency yargs to v14 (#​440) (fe37e73)
• deps: update dependency yargs to v14.2.0 (#​461) (fb21851)

v7.0.1

Compare Source

Features

• Adds support for header (--header) configuration based on the spec. (#​364) (ba80a0c)
• custom 'bumpFiles' and 'packageFiles' support (#​372) (564d948)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.15 (#​479) (492e721)
• deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#​496) (bc606f8)
• deps: update dependency conventional-recommended-bump to v6.0.5 (#​480) (1e1e215)
• deps: update dependency yargs to v15 (#​484) (35b90c3)
• use require.resolve for the default preset (#​465) (d557372)
• deps: update dependency detect-newline to v3.1.0 (#​482) (04ab36a)
• deps: update dependency figures to v3.1.0 (#​468) (63300a9)
• deps: update dependency git-semver-tags to v3.0.1 (#​485) (9cc188c)
• deps: update dependency yargs to v14.2.1 (#​483) (dc1fa61)
• deps: update dependency yargs to v14.2.2 (#​488) (ecf26b6)

7.0.1 (2019-11-07)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.12 (#​463) (f04161a)
• deps: update dependency conventional-changelog-config-spec to v2.1.0 (#​442) (a2c5747)
• deps: update dependency conventional-recommended-bump to v6.0.2 (#​462) (84bb581)
• deps: update dependency stringify-package to v1.0.1 (#​459) (e06a835)
• deps: update dependency yargs to v14 (#​440) (fe37e73)
• deps: update dependency yargs to v14.2.0 (#​461) (fb21851)

v7.0.0

Compare Source

Features

• Adds support for header (--header) configuration based on the spec. (#​364) (ba80a0c)
• custom 'bumpFiles' and 'packageFiles' support (#​372) (564d948)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.15 (#​479) (492e721)
• deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#​496) (bc606f8)
• deps: update dependency conventional-recommended-bump to v6.0.5 (#​480) (1e1e215)
• deps: update dependency yargs to v15 (#​484) (35b90c3)
• use require.resolve for the default preset (#​465) (d557372)
• deps: update dependency detect-newline to v3.1.0 (#​482) (04ab36a)
• deps: update dependency figures to v3.1.0 (#​468) (63300a9)
• deps: update dependency git-semver-tags to v3.0.1 (#​485) (9cc188c)
• deps: update dependency yargs to v14.2.1 (#​483) (dc1fa61)
• deps: update dependency yargs to v14.2.2 (#​488) (ecf26b6)

7.0.1 (2019-11-07)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.12 (#​463) (f04161a)
• deps: update dependency conventional-changelog-config-spec to v2.1.0 (#​442) (a2c5747)
• deps: update dependency conventional-recommended-bump to v6.0.2 (#​462) (84bb581)
• deps: update dependency stringify-package to v1.0.1 (#​459) (e06a835)
• deps: update dependency yargs to v14 (#​440) (fe37e73)
• deps: update dependency yargs to v14.2.0 (#​461) (fb21851)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error Couldn't find match for "feat/resolve_dts" in "refs/heads/deprecation,refs/heads/master,refs/pull/1/head,refs/pull/10/head,refs/pull/11/head,refs/pull/13/head,refs/pull/2/head,refs/pull/3/head,refs/pull/4/head,refs/pull/5/head,refs/pull/6/head,refs/pull/7/head,refs/pull/8/head,refs/pull/9/head,refs/tags/v0.2.0,refs/tags/v0.3.0,refs/tags/v0.4.0,refs/tags/v0.4.1,refs/tags/v0.4.2,refs/tags/v0.5.0,refs/tags/v1.0.0,refs/tags/v1.0.1,refs/tags/v1.0.2,refs/tags/v1.1.0,refs/tags/v1.1.0-rc.1,refs/tags/v1.1.1" for "https://github.com/JounQin/eslint-import-resolver-typescript.git".

[changeset-bot]

⚠️ No Changeset found

Latest commit: f48464b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

(node:1181) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
error Couldn't find match for "feat/resolve_dts" in "refs/heads/deprecation,refs/heads/master,refs/pull/1/head,refs/pull/10/head,refs/pull/11/head,refs/pull/13/head,refs/pull/2/head,refs/pull/3/head,refs/pull/4/head,refs/pull/5/head,refs/pull/6/head,refs/pull/7/head,refs/pull/8/head,refs/pull/9/head,refs/tags/v0.2.0,refs/tags/v0.3.0,refs/tags/v0.4.0,refs/tags/v0.4.1,refs/tags/v0.4.2,refs/tags/v0.5.0,refs/tags/v1.0.0,refs/tags/v1.0.1,refs/tags/v1.0.2,refs/tags/v1.1.0,refs/tags/v1.1.0-rc.1,refs/tags/v1.1.1" for "https://github.com/JounQin/eslint-import-resolver-typescript.git".

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}