Open renovate[bot] opened 4 years ago
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
^7.1.0
->^8.0.0
GitHub Vulnerability Alerts
GHSA-7xcx-6wjh-7xp2
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The
standardVersion
function has a command injection vulnerability. Clients of thestandard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in
standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
Now create a file with the following contents:
and run it:
Notice that a file named
exploit
has been created.This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the
standard-version
project here.Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use
child_process.execFile
instead ofchild_process.exec
.Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at
securitylab@github.com
, please includeGHSL-2020-111
in any communication regarding this issue.Disclosure Policy
This report is subject to our coordinated disclosure policy.
Release Notes
conventional-changelog/standard-version
### [`v8.0.1`](https://togithub.com/conventional-changelog/standard-version/blob/HEAD/CHANGELOG.md#801-httpswwwgithubcomconventional-changelogstandard-versioncomparev800v801-2020-07-12) [Compare Source](https://togithub.com/conventional-changelog/standard-version/compare/v8.0.0...v8.0.1) ### [`v8.0.0`](https://togithub.com/conventional-changelog/standard-version/blob/HEAD/CHANGELOG.md#800-httpswwwgithubcomconventional-changelogstandard-versioncomparev710v800-2020-05-06) [Compare Source](https://togithub.com/conventional-changelog/standard-version/compare/v7.1.0...v8.0.0) ##### ⚠ BREAKING CHANGES - `composer.json` and `composer.lock` will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use `bumpFiles` and/or `packageFiles` options accordingly. ##### Bug Fixes - composer.json and composer.lock have been removed from default package and bump files. ([c934f3a](https://www.github.com/conventional-changelog/standard-version/commit/c934f3a38da4e7234d9dba3b2405f3b7e4dc5aa8)), closes [#495](https://www.togithub.com/conventional-changelog/standard-version/issues/495) [#394](https://www.togithub.com/conventional-changelog/standard-version/issues/394) - **deps:** update dependency conventional-changelog to v3.1.18 ([#510](https://www.togithub.com/conventional-changelog/standard-version/issues/510)) ([e6aeb77](https://www.github.com/conventional-changelog/standard-version/commit/e6aeb779fe53ffed2a252e6cfd69cfcb786b9ef9)) - **deps:** update dependency yargs to v15.1.0 ([#518](https://www.togithub.com/conventional-changelog/standard-version/issues/518)) ([8f36f9e](https://www.github.com/conventional-changelog/standard-version/commit/8f36f9e073119fcbf5ad843237fb06a4ca42a0f9)) - **deps:** update dependency yargs to v15.3.1 ([#559](https://www.togithub.com/conventional-changelog/standard-version/issues/559)) ([d98cd46](https://www.github.com/conventional-changelog/standard-version/commit/d98cd4674b4d074c0b7f4d50d052ae618cf494c6))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.