Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability warnings with ansi-regex and minimist #193

Open
Blackbaud-SteveBrush opened this issue Apr 28, 2022 · 11 comments
Open

Vulnerability warnings with ansi-regex and minimist #193

Blackbaud-SteveBrush opened this issue Apr 28, 2022 · 11 comments

Comments

@Blackbaud-SteveBrush
Copy link

Blackbaud-SteveBrush commented Apr 28, 2022
edited

I'm seeing a few vulnerability warnings after installing 3.3.0, namely with ansi-regex and minimist.
@Blackbaud-SteveBrush Blackbaud-SteveBrush changed the title Is this project maintained? Vulnerability warnings with ansi-regex and minimist Apr 28, 2022
@Blackbaud-SteveBrush
Copy link
Author

Related: commitizen/cz-cli#914

@igorlino
Copy link

igorlino commented Jul 1, 2022

@LinusU any chance to make an update of dependencies to fix outstanding security warnings ? its very hard to use the package in any continous integration build if critical vulnerabilities are shown when doing: npm audit

Thanks

@stevensacks
Copy link

stevensacks commented Jul 25, 2022
edited

The issue is in commitizen 4.2.4. It was resolved in commitizen 4.2.5.

─┬ cz-conventional-changelog@3.3.0
 └─┬ commitizen@4.2.4
   └── minimist@1.2.5

I tried to fix it by manually installing 4.2.5 and using resolution until this library is updated (if ever, it looks abandoned - no updates since 2020), but it breaks the build.

"resolutions": {
    "commitizen": "4.2.5",
    "minimist": "1.2.6"
},
/Users/me/project/node_modules/listr2/node_modules/slice-ansi/index.js:2
const isFullwidthCodePoint = require('is-fullwidth-code-point');
                             ^

Error [ERR_REQUIRE_ESM]: require() of ES Module /Users/me/project/node_modules/is-fullwidth-code-point/index.js from /Users/me/project/node_modules/listr2/node_modules/slice-ansi/index.js not supported.
Instead change the require of /Users/me/project/node_modules/is-fullwidth-code-point/index.js in /Users/me/project/node_modules/listr2/node_modules/slice-ansi/index.js to a dynamic import() which is available in all CommonJS modules.
    at Object.<anonymous> (/Users/me/project/node_modules/listr2/node_modules/slice-ansi/index.js:2:30)
    at Object.<anonymous> (/Users/me/project/node_modules/listr2/node_modules/cli-truncate/index.js:2:19)
    at async Promise.all (index 0) {
  code: 'ERR_REQUIRE_ESM'
}

@stevensacks
Copy link

stevensacks commented Jul 25, 2022
edited

@jimthedev @dmwelch When can we expect an update to this library to use 4.2.5?

@travi
Copy link
Contributor

travi commented Jul 25, 2022

When can we expect an update to this library to use 4.2.5?

commitizen is defined as a range. while i support the minimum of that range being updated to force installation of the patched version, simply reinstalling/updating your lockfile can already allow you to use the patched version

@stevensacks
Copy link

So you’re not going to release an update, something that would take you a few minutes, and instead off-loading the burden to every developer who uses this library to manually hack their package-lock file?

@travi
Copy link
Contributor

travi commented Jul 25, 2022

you’re not going to

I'm not a maintainer. I can't make releases any more than you can. I was simply suggesting a solution that you could unblock yourself with in the meantime.

@stevensacks
Copy link

Ah I was confused by you saying “while i support the minimum of that range”. It made it sound like you were a maintainer.

@travi
Copy link
Contributor

travi commented Jul 26, 2022

Ah I was confused by you saying “while i support the minimum of that range”.

that statement was meant to clarify that i do think it is worthwhile for the change to be made in this project, even though there is a valid work around now available.

regardless of whether i was a maintainer or not, please consider the service that maintainers of OSS provide for free in their spare time. being confrontational or acting entitled to their service can actively discourage them from spending effort on the tasks you would like to have completed, or even end up burning them out further than they may already be. i find commitizen to be an important project and would hate to see it end completely.

@stevensacks
Copy link

stevensacks commented Jul 26, 2022
edited

Hold up. Let’s clarify something. Your message read to me like you were a maintainer of this project, which meant you took time to reply on a thread giving an excuse why you weren’t going to release an update to resolve a vulnerability, when actually resolving it would have taken less time. If that was what happened, that would have been undeniably bad behavior on the part of the maintainer and it is not acting entitled to point that out.

@stevensacks
Copy link

stevensacks commented Jul 26, 2022
edited

It would take the same amount of time to update the version of a single dependency as it would to make an excuse why you aren't going to.

This project hasn't been updated in over 2 years. I don't know what you're worried about. It's already been abandoned. Clearly the maintainer has already checked out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@travi @stevensacks @igorlino @Blackbaud-SteveBrush