Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimist dependent package vulnerability due to older version usage #945

Open
vishwas16 opened this issue Jun 17, 2022 · 7 comments
Open

Minimist dependent package vulnerability due to older version usage #945

vishwas16 opened this issue Jun 17, 2022 · 7 comments

Comments

@vishwas16
Copy link

Hi,

We are using commitizen package in our microservice api. As we know commitizen has a dependency on minimist package and it shows us a vulnerablility during our docker image scan.
Screenshot 2022-06-17 at 12 41 22 PM

Could you guys please update your package to a newer version or may be upgrade the minimist package to it's fixed version which is 1.2.6?

Hope to see the resolution soon on this issue. Thanks !
@vadim-shilov
Copy link

Hello,

The same problem!
npm audit defines this vulnerability as critical and blocks CI.

Looking forward to the fix :)

Thanks!

@HeartSquared
Copy link

Looks like the package.json shows that the upgrade has been done, but we're just lacking a release 🙏🏻

@iiLearner
Copy link

Hopefully this gets looked into asap

@ryansonshine
Copy link

I wouldn't count on a release anytime soon; see #914 (comment) for more details.

brett-vendia pushed a commit to CodeGenieApp/serverless-express that referenced this issue Jun 30, 2022
@brettstack
fix: migrate to commitizen fork
ec1ca7e 
for details see commitizen/cz-cli#945
and https://github.com/commitizen/cz-cli/issues/914\#issuecomment-1131383383
@Zhengqbbb
Copy link
Contributor

We're just lacking a release 🤯

@kdmcguire
Copy link

I believe this is fixed in the new release, 4.2.5.

@notrev notrev mentioned this issue Sep 6, 2022
Merged
@sawilde
Copy link

sawilde commented Dec 10, 2022

I note that your renovate bot has updated the minimist package to 1.2.7 do you know when we may see a release?

I would suggest that you allow "dependencies" to be updateable using "^x.x.x" syntax rather than pinning them thus allowing consumers of this package to take security updates without having to wait on yourselves.

@keeganstreet keeganstreet mentioned this issue Jan 20, 2023
Closed
OneDev0411 added a commit to OneDev0411/serverless-express that referenced this issue Mar 16, 2023
@OneDev0411
fix: migrate to commitizen fork
fd53be0 
for details see commitizen/cz-cli#945
and https://github.com/commitizen/cz-cli/issues/914\#issuecomment-1131383383
@emilyjablonski emilyjablonski mentioned this issue Oct 8, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@sawilde @kdmcguire @ryansonshine @vishwas16 @iiLearner @HeartSquared @vadim-shilov @Zhengqbbb