cz-conventional-changelog icon indicating copy to clipboard operation
cz-conventional-changelog copied to clipboard
verified publisher icon commitizen

Vulnerability Prototype Pollution

Open DaviLhlapak opened this issue 4 years ago • 2 comments

A few days ago I went to install my project's packages and npm pointed out 4 critical security errors, but I couldn't understand the solution for it, I didn't find issues that matched the current problem, can you help me?

When running the command npm audit it shows the following text:

# npm audit report

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/merge
  find-node-modules  <=2.1.0
  Depends on vulnerable versions of merge
  node_modules/find-node-modules
    commitizen  >=2.0.0
    Depends on vulnerable versions of cz-conventional-changelog
    Depends on vulnerable versions of find-node-modules
    node_modules/commitizen
      cz-conventional-changelog  >=3.0.2
      Depends on vulnerable versions of commitizen
      node_modules/commitizen/node_modules/cz-conventional-changelog
      node_modules/cz-conventional-changelog

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

These are the versions that I have installed [email protected] [email protected]

Thanks in advance for your help.

About this Vulnerability: https://www.npmjs.com/advisories/1666

DaviLhlapak avatar May 06 '21 12:05 DaviLhlapak

I just ran into this issue as well.

If you're using yarn, I was able to resolve this issue by adding a resolutions object to my package.json:

"resolutions": {
  "merge": "^2.1.1"
}

ezrafree avatar Feb 10 '22 00:02 ezrafree

Please up

aiKrice avatar Apr 07 '22 07:04 aiKrice