This repository has been archived by the owner on Jul 14, 2020. It is now read-only.
chore(deps): update dependency standard-version to v8.0.1 [security] #511
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.0.0
->8.0.1
GitHub Vulnerability Alerts
GHSA-7xcx-6wjh-7xp2
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The
standardVersion
function has a command injection vulnerability. Clients of thestandard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in
standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
Now create a file with the following contents:
and run it:
Notice that a file named
exploit
has been created.This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the
standard-version
project here.Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use
child_process.execFile
instead ofchild_process.exec
.Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at
[email protected]
, please includeGHSL-2020-111
in any communication regarding this issue.Disclosure Policy
This report is subject to our coordinated disclosure policy.
Release Notes
conventional-changelog/standard-version
v8.0.1
Compare Source
Renovate configuration
📅 Schedule: "" in timezone Asia/Tokyo.
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.