search

sparkles-dev / sparkles

A web tech stack built on open source.
https://sparkles.dev
MIT License
2 stars 0 forks source link

build: update dependency standard-version to v8 [security] #687

Open renovate[bot] opened 3 months ago

renovate[bot] commented 3 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
standard-version ^7.0.0 -> ^8.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-7xcx-6wjh-7xp2

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @​erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Release Notes

conventional-changelog/standard-version (standard-version) ### [`v8.0.1`](https://redirect.github.com/conventional-changelog/standard-version/blob/HEAD/CHANGELOG.md#801-2020-07-12) [Compare Source](https://redirect.github.com/conventional-changelog/standard-version/compare/v8.0.0...v8.0.1) ### [`v8.0.0`](https://redirect.github.com/conventional-changelog/standard-version/blob/HEAD/CHANGELOG.md#800-2020-05-06) [Compare Source](https://redirect.github.com/conventional-changelog/standard-version/compare/v7.1.0...v8.0.0) ##### āš  BREAKING CHANGES - `composer.json` and `composer.lock` will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use `bumpFiles` and/or `packageFiles` options accordingly. ##### Bug Fixes - composer.json and composer.lock have been removed from default package and bump files. ([c934f3a](https://www.github.com/conventional-changelog/standard-version/commit/c934f3a38da4e7234d9dba3b2405f3b7e4dc5aa8)), closes [#​495](https://redirect.github.com/conventional-changelog/standard-version/issues/495) [#​394](https://redirect.github.com/conventional-changelog/standard-version/issues/394) - **deps:** update dependency conventional-changelog to v3.1.18 ([#​510](https://redirect.github.com/conventional-changelog/standard-version/issues/510)) ([e6aeb77](https://www.github.com/conventional-changelog/standard-version/commit/e6aeb779fe53ffed2a252e6cfd69cfcb786b9ef9)) - **deps:** update dependency yargs to v15.1.0 ([#​518](https://redirect.github.com/conventional-changelog/standard-version/issues/518)) ([8f36f9e](https://www.github.com/conventional-changelog/standard-version/commit/8f36f9e073119fcbf5ad843237fb06a4ca42a0f9)) - **deps:** update dependency yargs to v15.3.1 ([#​559](https://redirect.github.com/conventional-changelog/standard-version/issues/559)) ([d98cd46](https://www.github.com/conventional-changelog/standard-version/commit/d98cd4674b4d074c0b7f4d50d052ae618cf494c6)) ### [`v7.1.0`](https://redirect.github.com/conventional-changelog/standard-version/blob/HEAD/CHANGELOG.md#710-2019-12-08) [Compare Source](https://redirect.github.com/conventional-changelog/standard-version/compare/v7.0.1...v7.1.0) ##### Features - Adds support for `header` (--header) configuration based on the spec. ([#​364](https://redirect.github.com/conventional-changelog/standard-version/issues/364)) ([ba80a0c](https://redirect.github.com/conventional-changelog/standard-version/commit/ba80a0c27029f54c751fe845560504925b45eab8)) - custom 'bumpFiles' and 'packageFiles' support ([#​372](https://redirect.github.com/conventional-changelog/standard-version/issues/372)) ([564d948](https://redirect.github.com/conventional-changelog/standard-version/commit/564d9482a459d5d7a2020c2972b4d39167ded4bf)) ##### Bug Fixes - **deps:** update dependency conventional-changelog to v3.1.15 ([#​479](https://redirect.github.com/conventional-changelog/standard-version/issues/479)) ([492e721](https://redirect.github.com/conventional-changelog/standard-version/commit/492e72192ebf35d7c58c00526b1e6bd2abac7f13)) - **deps:** update dependency conventional-changelog-conventionalcommits to v4.2.3 ([#​496](https://redirect.github.com/conventional-changelog/standard-version/issues/496)) ([bc606f8](https://redirect.github.com/conventional-changelog/standard-version/commit/bc606f8e96bcef1d46b28305622fc76dfbf306cf)) - **deps:** update dependency conventional-recommended-bump to v6.0.5 ([#​480](https://redirect.github.com/conventional-changelog/standard-version/issues/480)) ([1e1e215](https://redirect.github.com/conventional-changelog/standard-version/commit/1e1e215a633963188cdb02be1316b5506e3b99b7)) - **deps:** update dependency yargs to v15 ([#​484](https://redirect.github.com/conventional-changelog/standard-version/issues/484)) ([35b90c3](https://redirect.github.com/conventional-changelog/standard-version/commit/35b90c3f24cfb8237e94482fd20997900569193e)) - use require.resolve for the default preset ([#​465](https://redirect.github.com/conventional-changelog/standard-version/issues/465)) ([d557372](https://redirect.github.com/conventional-changelog/standard-version/commit/d55737239530f5eee684e9cbf959f7238d609fd4)) - **deps:** update dependency detect-newline to v3.1.0 ([#​482](https://redirect.github.com/conventional-changelog/standard-version/issues/482)) ([04ab36a](https://redirect.github.com/conventional-changelog/standard-version/commit/04ab36a12be58915cfa9c60771890e074d1f5685)) - **deps:** update dependency figures to v3.1.0 ([#​468](https://redirect.github.com/conventional-changelog/standard-version/issues/468)) ([63300a9](https://redirect.github.com/conventional-changelog/standard-version/commit/63300a935c0079fd03e8e1acc55fd5b1dcea677f)) - **deps:** update dependency git-semver-tags to v3.0.1 ([#​485](https://redirect.github.com/conventional-changelog/standard-version/issues/485)) ([9cc188c](https://redirect.github.com/conventional-changelog/standard-version/commit/9cc188cbb84ee3ae80d5e66f5c54727877313b14)) - **deps:** update dependency yargs to v14.2.1 ([#​483](https://redirect.github.com/conventional-changelog/standard-version/issues/483)) ([dc1fa61](https://redirect.github.com/conventional-changelog/standard-version/commit/dc1fa6170ffe12d4f8b44b70d23688a64d2ad0fb)) - **deps:** update dependency yargs to v14.2.2 ([#​488](https://redirect.github.com/conventional-changelog/standard-version/issues/488)) ([ecf26b6](https://redirect.github.com/conventional-changelog/standard-version/commit/ecf26b6fc9421a78fb81793c4a932f579f7e9d4a)) ##### [7.0.1](https://redirect.github.com/conventional-changelog/standard-version/compare/v7.0.0...v7.0.1) (2019-11-07) ##### Bug Fixes - **deps:** update dependency conventional-changelog to v3.1.12 ([#​463](https://redirect.github.com/conventional-changelog/standard-version/issues/463)) ([f04161a](https://redirect.github.com/conventional-changelog/standard-version/commit/f04161ae624705e68f9018d563e9f3c09ccf6f30)) - **deps:** update dependency conventional-changelog-config-spec to v2.1.0 ([#​442](https://redirect.github.com/conventional-changelog/standard-version/issues/442)) ([a2c5747](https://redirect.github.com/conventional-changelog/standard-version/commit/a2c574735ac5a165a190661b7735ea284bdc7dda)) - **deps:** update dependency conventional-recommended-bump to v6.0.2 ([#​462](https://redirect.github.com/conventional-changelog/standard-version/issues/462)) ([84bb581](https://redirect.github.com/conventional-changelog/standard-version/commit/84bb581209b50357761cbec45bb8253f6a182801)) - **deps:** update dependency stringify-package to v1.0.1 ([#​459](https://redirect.github.com/conventional-changelog/standard-version/issues/459)) ([e06a835](https://redirect.github.com/conventional-changelog/standard-version/commit/e06a835c8296a92f4fa7c07f98057d765c1a91e5)) - **deps:** update dependency yargs to v14 ([#​440](https://redirect.github.com/conventional-changelog/standard-version/issues/440)) ([fe37e73](https://redirect.github.com/conventional-changelog/standard-version/commit/fe37e7390760d8d16d1b94ca58d8123e292c46a8)) - **deps:** update dependency yargs to v14.2.0 ([#​461](https://redirect.github.com/conventional-changelog/standard-version/issues/461)) ([fb21851](https://redirect.github.com/conventional-changelog/standard-version/commit/fb2185107a90ba4b9dc7c9c1d873ed1283706ac1))

Configuration

šŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

šŸš¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.

ā™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

šŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.