chore(deps-dev): [security] bump standard-version from 7.1.0 to 8.0.1

[dependabot-preview[bot]]

trafficstars

Bumps standard-version from 7.1.0 to 8.0.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Command Injection in standard-version

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

Affected versions: < 8.0.1

Release notes

Sourced from standard-version's releases.

standard-version v8.0.1

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.21 (#586) (fd456c9)
• deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#587) (b3b5eed)
• deps: update dependency conventional-recommended-bump to v6.0.9 (#588) (d4d2ac2)
• deps: update dependency git-semver-tags to v4 (#589) (a0f0e81)
• Vulnerability Report GHSL-2020-11101 (9d978ac)

standard-version v8.0.0

⚠ BREAKING CHANGES

• composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.

Bug Fixes

• composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #495 #394
• deps: update dependency conventional-changelog to v3.1.18 (#510) (e6aeb77)
• deps: update dependency yargs to v15.1.0 (#518) (8f36f9e)
• deps: update dependency yargs to v15.3.1 (#559) (d98cd46)

Changelog

Sourced from standard-version's changelog.

8.0.1 (2020-07-12)

Bug Fixes

• deps: update dependency conventional-changelog to v3.1.21 (#586) (fd456c9)
• deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#587) (b3b5eed)
• deps: update dependency conventional-recommended-bump to v6.0.9 (#588) (d4d2ac2)
• deps: update dependency git-semver-tags to v4 (#589) (a0f0e81)
• Vulnerability Report GHSL-2020-11101 (9d978ac)

8.0.0 (2020-05-06)

⚠ BREAKING CHANGES

• composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.

Bug Fixes

• composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #495 #394
• deps: update dependency conventional-changelog to v3.1.18 (#510) (e6aeb77)
• deps: update dependency yargs to v15.1.0 (#518) (8f36f9e)
• deps: update dependency yargs to v15.3.1 (#559) (d98cd46)

Commits

• 57e4e25 chore: release 8.0.1 (#611)
• 58105e1 chore: Adds basic issue templates (#613)
• 9d978ac fix: Vulnerability Report GHSL-2020-11101
• 267d78d chore: stop pinning deps (#615)
• da84ec4 test(windows): skip mock-git tests for Windows (#616)
• 871201f Merge pull request from GHSA-7xcx-6wjh-7xp2
• a0f0e81 fix(deps): update dependency git-semver-tags to v4 (#589)
• fd456c9 fix(deps): update dependency conventional-changelog to v3.1.21 (#586)
• b3b5eed fix(deps): update dependency conventional-changelog-conventionalcommits to v4...
• d4d2ac2 fix(deps): update dependency conventional-recommended-bump to v6.0.9 (#588)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for standard-version since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[coveralls]

Coverage remained the same at 91.837% when pulling faf8da7b4f6a6d4e69e95de18bb6e32a602c5ab6 on dependabot/npm_and_yarn/standard-version-8.0.1 into cbad6d1115b225cf3cd39b51686a63f8f30f49b9 on master.