fix(conventional-commits-parser): address CVE-2021-23425 (#841)

conventional-changelog · Sep 9, 2021 · 02b3d53 · 02b3d53
1 parent d747781
commit 02b3d53
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 8 deletions.
diff --git a/package.json b/package.json
@@ -48,7 +48,7 @@
     "c8": "^7.1.2",
     "chai": "^4.2.0",
     "concat-stream": "^2.0.0",
-    "conventional-changelog-core": "^4.2.1",
+    "conventional-changelog-core": "file://./packages/conventional-changelog-core",
     "coveralls": "^3.0.2",
     "eslint": "^7.0.0",
     "eslint-config-standard": "^16.0.1",

diff --git a/packages/conventional-changelog-angular/test/fixtures/_unknown-host.json b/packages/conventional-changelog-angular/test/fixtures/_unknown-host.json
@@ -1,4 +1,4 @@
 {
-  "repository": "unknown",
+  "repository": "http://unknown",
   "version": "v2.0.0"
 }
diff --git a/packages/conventional-changelog-conventionalcommits/test/fixtures/_unknown-host.json b/packages/conventional-changelog-conventionalcommits/test/fixtures/_unknown-host.json
@@ -1,4 +1,4 @@
 {
-  "repository": "unknown",
+  "repository": "http://unknown",
   "version": "v2.0.0"
 }
diff --git a/packages/conventional-changelog-core/lib/merge-config.js b/packages/conventional-changelog-core/lib/merge-config.js
@@ -180,7 +180,11 @@ function mergeConfig (options, context, gitRawCommitsOpts, parserOpts, writerOpt
           }
           context.owner = context.owner || repo.user || ''
           context.repository = context.repository || repo.project
-          context.repoUrl = /undefined/i.exec(browse) ? context.host : browse
+          if (repo.host && repo.project && repo.user) {
+            context.repoUrl = browse
+          } else {
+            context.repoUrl = context.host
+          }
         }
 
         context.packageData = pkg

diff --git a/packages/conventional-commits-parser/lib/parser.js b/packages/conventional-commits-parser/lib/parser.js
@@ -1,10 +1,13 @@
 'use strict'
-const trimOffNewlines = require('trim-off-newlines')
 const _ = require('lodash')
 
 const CATCH_ALL = /()(.+)/gi
 const SCISSOR = '# ------------------------ >8 ------------------------'
 
+function trimOffNewlines (input) {
+  return input.replace(/^(?:\r|\n)+|(?:\r|\n)+$/g, '')
+}
+
 function append (src, line) {
   if (src) {
     src += '\n' + line

diff --git a/packages/conventional-commits-parser/package.json b/packages/conventional-commits-parser/package.json
@@ -33,13 +33,12 @@
     "logs"
   ],
   "dependencies": {
-    "JSONStream": "^1.0.4",
     "is-text-path": "^1.0.1",
+    "JSONStream": "^1.0.4",
     "lodash": "^4.17.15",
     "meow": "^8.0.0",
     "split2": "^3.0.0",
-    "through2": "^4.0.0",
-    "trim-off-newlines": "^1.0.0"
+    "through2": "^4.0.0"
   },
   "scripts": {
     "test-windows": "echo 'make work on windows'"