Security vulnerability at js-yaml

[pyrho]

@commitlint/load uses a vulnerable version of cosmicconfig (which uses a vulnerable version of js-yml), see https://nodesecurity.io/advisories/788 for more details on the security issue.
js-yml 3.13.0 is patched, but cosmicconfig has yet to update its version.

yarn audit output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ commitlint                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ commitlint > @commitlint/cli > @commitlint/load >            │
│               │ cosmiconfig > js-yaml                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Expected Behavior

Use a patched version of cosmicconfig when it's available, see this issue & pr

Current Behavior

Uses a vulnerable version of cosmiconfig.

Affected packages

• cli (load)
• core
• prompt
• config-angular

Possible Solution

1. Update cosmiconfig

[escapedcat]

Thx @pyrho!
We're watching the related issue of cosmiconfig and will update as soon as it's available.

[marionebl]

Having our automated tools (such us yarn audit) flagging this is good, thanks for reporting.

Reading the advisory reveals this attack vector has low to no impact on the cosmiconfig or commitlint use case, as we do not accept untrusted input that might be crafted into causing your commitlint process to hang.

We'll upgrade to a newer cosmiconfig version when they resolve cosmiconfig/cosmiconfig#180 eventually.

In the mean time you can use yarn resolutions to prevent yarn from installing flagged versions of js-yaml, effectively fixing the issue for yourself now:

• https://yarnpkg.com/lang/en/docs/selective-version-resolutions/
• An resolutions example in commitlint:
  

  commitlint/package.json

  Lines 97 to 107 in d6b7b5b

  	"resolutions": {
  	"**/lodash": "4.17.11",
  	"docsify-cli/**/randomatic": "3",
  	"docsify-cli/**/stringstream": "0.0.6",
  	"docsify-cli/**/sshpk": "1.14.1",
  	"docsify-cli/**/marked": "0.3.9",
  	"docsify-cli/**/hoek": "5.0.3",
  	"docsify-cli/**/braces": "2.3.1",
  	"deep-extend": "0.5.1",
  	"moment": "2.19.3",
  	"js-yaml": ">=3.13.0"

Due to the combination of the attack vector being irrelevant to commitlint users and the possibility to fix on your own I'll deescalate the priority for this.

[pyrho]

Thank you for taking the time to explain your reasoning.
I didn’t know about yarn resolutions, this is great and will indeed allow us to move forward.

[byCedric]

Security issue is patched in 5.2.0. I might be available to get some effort in fixing this in Commitlint too tomorrow evening (CEST).

[escapedcat]

@marionebl udpated cosmiconfig. It will be published with the next release.
He added a resolution for js-yaml as well: https://github.com/conventional-changelog/commitlint/blob/master/package.json#L108

[marionebl]

Fixed in the meantime