chore(deps): update devdependency standard-version to v8 [security] #67
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.4.0
->^8.0.0
GitHub Vulnerability Alerts
GHSA-7xcx-6wjh-7xp2
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The
standardVersion
function has a command injection vulnerability. Clients of thestandard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in
standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
Now create a file with the following contents:
and run it:
Notice that a file named
exploit
has been created.This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the
standard-version
project here.Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use
child_process.execFile
instead ofchild_process.exec
.Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at
[email protected]
, please includeGHSL-2020-111
in any communication regarding this issue.Disclosure Policy
This report is subject to our coordinated disclosure policy.
Release Notes
conventional-changelog/standard-version (standard-version)
v8.0.1
Compare Source
v8.0.0
Compare Source
⚠ BREAKING CHANGES
composer.json
andcomposer.lock
will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please usebumpFiles
and/orpackageFiles
options accordingly.Bug Fixes
v7.1.0
Compare Source
Features
header
(--header) configuration based on the spec. (#364) (ba80a0c)Bug Fixes
7.0.1 (2019-11-07)
Bug Fixes
v7.0.1
Compare Source
v7.0.0
Compare Source
⚠ BREAKING CHANGES
Bug Fixes
releaseCommitMessageFormat
(#351) (a7133cc)6.0.1 (2019-05-05)
Bug Fixes
v6.0.1
Compare Source
v6.0.0
Compare Source
Bug Fixes
Build System
Features
Tests
BREAKING CHANGES
v5.0.2
Compare Source
v5.0.1
Compare Source
Bug Fixes
v5.0.0
Compare Source
Bug Fixes
chore
Features
BREAKING CHANGES
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.