chore(deps): update devdependency standard-version to v8 [security] #9
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^7.1.0
->^8.0.0
GitHub Vulnerability Alerts
GHSA-7xcx-6wjh-7xp2
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The
standardVersion
function has a command injection vulnerability. Clients of thestandard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in
standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
Now create a file with the following contents:
and run it:
Notice that a file named
exploit
has been created.This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the
standard-version
project here.Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use
child_process.execFile
instead ofchild_process.exec
.Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at
[email protected]
, please includeGHSL-2020-111
in any communication regarding this issue.Disclosure Policy
This report is subject to our coordinated disclosure policy.
Release Notes
conventional-changelog/standard-version
v8.0.1
Compare Source
v8.0.0
Compare Source
⚠ BREAKING CHANGES
composer.json
andcomposer.lock
will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please usebumpFiles
and/orpackageFiles
options accordingly.Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.