Security vulnerability (High Severity) in js-yaml dependency

[lukewlms]

Description

js-yaml needs to be updated to >= 3.13.0. The current version has a mod-severity security vulnerability.

Steps to reproduce

• Install latest
• Run npm audit / yarn audit

Debug Logs

expand to view

Not applicable

Environment

• OS: This applies in all environments
• Node.js: 1
• lint-staged: Latest: 8.1.5

[mattxwang]

As an update, npm audit now yields a high severity error (code injection) on the same dependency. For reference, this is on node version 10.15.3, but should be irrespective of node version. However, I just updated the dependency (husky also depended on it, and updated it) and it all worked out.

[okonet]

Please go ahead and submit a PR!

[mattxwang]

I looked into the issue on the side of cosmiconfig, and found this issue - in sum, short-term we just need to update the package-lock.json or yarn.lock, and long-term they are considering moving away from js-yaml as it has a history of security vulnerabilities.

I'm not familiar with the internals of lint-staged - would it be alright if we just bumped the version of cosmiconfig? What code relies on it? I don't mind submitting a PR to fix this up.

[okonet]

Yes, I believe it should be enough.

[okonet]

🎉 This issue has been resolved in version 8.1.7 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀