cz-cli icon indicating copy to clipboard operation
cz-cli copied to clipboard

Published 20 hours ago verified publisher icon commitizen

Minimist dependent package vulnerability due to older version usage

Open vishwas16 opened this issue 3 years ago • 7 comments

Hi,

We are using commitizen package in our microservice api. As we know commitizen has a dependency on minimist package and it shows us a vulnerablility during our docker image scan. Screenshot 2022-06-17 at 12 41 22 PM

Could you guys please update your package to a newer version or may be upgrade the minimist package to it's fixed version which is 1.2.6?

Hope to see the resolution soon on this issue. Thanks !

vishwas16 avatar Jun 17 '22 07:06 vishwas16

Hello,

The same problem! npm audit defines this vulnerability as critical and blocks CI.

Looking forward to the fix :)

Thanks!

vadim-shilov avatar Jun 20 '22 13:06 vadim-shilov

Looks like the package.json shows that the upgrade has been done, but we're just lacking a release 🙏🏻

HeartSquared avatar Jun 21 '22 00:06 HeartSquared

Hopefully this gets looked into asap

iiLearner avatar Jun 24 '22 15:06 iiLearner

I wouldn't count on a release anytime soon; see https://github.com/commitizen/cz-cli/issues/914#issuecomment-1131383383 for more details.

ryansonshine avatar Jun 27 '22 06:06 ryansonshine

We're just lacking a release 🤯

Zhengqbbb avatar Jul 15 '22 11:07 Zhengqbbb

I believe this is fixed in the new release, 4.2.5.

kdmcguire avatar Jul 17 '22 14:07 kdmcguire

I note that your renovate bot has updated the minimist package to 1.2.7 do you know when we may see a release?

I would suggest that you allow "dependencies" to be updateable using "^x.x.x" syntax rather than pinning them thus allowing consumers of this package to take security updates without having to wait on yourselves.

sawilde avatar Dec 10 '22 07:12 sawilde