🚨 [security] Update commitizen 4.2.2 → 4.3.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ commitizen (4.2.2 → 4.3.1) · Repo

Release Notes

4.3.1

4.3.1 (2024-09-27)

Bug Fixes

• Close process after retry commit. Closes #974 (#1001) (3ce8dd5)

4.3.0

4.3.0 (2023-01-19)

Features

• init: add pnpm support (#915) (c1f4142), closes #893 #858

4.2.6

4.2.6 (2022-12-06)

Bug Fixes

• sec: upgrade semantic-release to 19.0.3 (#953) (815c69d)

4.2.5

4.2.5 (2022-07-17)

Bug Fixes

• deps: update all non-major dependencies (69de704)
• deps: update all non-major dependencies (3c2553f)
• deps: update dependencies from renovatebot PRs (#862) (64a8ed6)
• deps: update dependency glob to v7.1.6 (#861) (2505419)
• deps: update dependency inquirer to v8 (#874) (9c7e863)
• do not include .nyc_output in published files (#851) (68c377b), closes 4.2.4#d2h-425221 #730
• fix the "isFunction" utility to match both "asyncFunction"s and "Function"s (#927) (25dc80c), closes #926
• git-cz.js,staging.js: check for staged files before running prompt (#818) (fdb73cd), closes #785 #585 #785

4.2.4

4.2.4 (2021-05-07)

Bug Fixes

• deps: update find-node-modules to ^2.1.2 (#824) (e434901)

4.2.3

4.2.3 (2021-01-15)

Bug Fixes

• revert "use cz-conventional-changelog as default adapter (#778)" (#792) (f2fad87)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 2.3.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Release Notes

3.0.0 (from changelog)

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed

Non-breaking changes

• Caching was removed

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cachedir (indirect, 2.2.0 → 2.3.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ detect-indent (indirect, 6.0.0 → 6.1.0) · Repo

Release Notes

6.1.0

• Ignore single space indents (#31) a1bc058

v6.0.0...v6.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fill-range (indirect, 4.0.0 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ find-node-modules (indirect, 2.0.0 → 2.1.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ findup-sync (indirect, 3.0.0 → 4.0.0) · Repo · Changelog

Release Notes

4.0.0

Breaking

• Drop support for node <8 (4e46134)

Upgrade

• Update micromatch & devDeps (b926b21)

Build

• Ignore fixtures directory when linting (35cd0a2)
• Disable npm audit (3cee51e)

Scaffold

• Update license year (513e4de)
• Update repository template (67fa64b)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fs-extra (indirect, 9.0.1 → 9.1.0) · Repo · Changelog

Release Notes

9.1.0 (from changelog)

• Add promise support for fs.rm() (#841, #860)
• Upgrade universalify for performance improvments (#825)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ glob (indirect, 7.0.6 → 7.2.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-number (indirect, 3.0.0 → 7.0.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ lodash (indirect, 4.17.20 → 4.17.21) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in lodash

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');
function build_blank(n) {

var ret = "1"

for (var i = 0; i < n; i++) {

ret += " "

}

return ret + "1";

}

var s = build_blank(50000) var time0 = Date.now();

lo.trim(s)

var time_cost0 = Date.now() - time0;

console.log("time_cost0: " + time_cost0);

var time1 = Date.now();

lo.toNumber(s) var time_cost1 = Date.now() - time1;

console.log("time_cost1: " + time_cost1);

var time2 = Date.now();

lo.trimEnd(s);

var time_cost2 = Date.now() - time2;

console.log("time_cost2: " + time_cost2);

🚨 Command Injection in lodash

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ merge (indirect, 1.2.1 → 2.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in merge

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromatch (indirect, 3.1.10 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Release Notes

4.0.4

• fix: Update picomatch to fix regression #179 (8becb55)

4.0.3

• Enforce newer version of picomatch with bugfixes

4.0.0 (from changelog)

Added

• Adds support for options.onMatch. See the readme for details
• Adds support for options.onIgnore. See the readme for details
• Adds support for options.onResult. See the readme for details

Breaking changes

• Removed support for passing an array of brace patterns to micromatch.braces().
• To strictly enforce closing brackets (for {, [, and (), you must now use strictBrackets=true instead of strictErrors.
• cache - caching and all related options and methods have been removed
• options.unixify was renamed to options.windows
• options.nodupes Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the onMatch, onResult and onIgnore functions.
• options.snapdragon was removed, as snapdragon is no longer used.
• options.sourcemap was removed, as snapdragon is no longer used, which provided sourcemap support.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minimatch (indirect, 3.0.4 → 3.1.2) · Repo · Changelog

Security Advisories 🚨

🚨 minimatch ReDoS vulnerability

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minimist (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in minimist

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ strip-json-comments (indirect, 3.0.1 → 3.1.1) · Repo

Release Notes

3.1.1

• Add jsonc to package.json keywords (#45) 60d2039

v3.1.0...v3.1.1

3.1.0

• Strictly validate that the jsonString argument is a string 681f8b8

v3.0.1...v3.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ to-regex-range (indirect, 2.1.1 → 5.0.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 base64-js (added, 1.5.1)

🆕 bl (added, 4.1.0)

🆕 buffer (added, 5.7.1)

🆕 cli-spinners (added, 2.9.2)

🆕 clone (added, 1.0.4)

🆕 defaults (added, 1.0.4)

🆕 ieee754 (added, 1.2.1)

🆕 is-interactive (added, 1.0.0)

🆕 is-unicode-supported (added, 0.1.0)

🆕 log-symbols (added, 4.1.0)

🆕 ora (added, 5.4.1)

🆕 picomatch (added, 2.3.1)

🆕 wcwidth (added, 1.0.1)

🗑️ arr-diff (removed)

🗑️ arr-flatten (removed)

🗑️ arr-union (removed)

🗑️ array-unique (removed)

🗑️ assign-symbols (removed)

🗑️ atob (removed)

🗑️ base (removed)

🗑️ cache-base (removed)

🗑️ class-utils (removed)

🗑️ collection-visit (removed)

🗑️ component-emitter (removed)

🗑️ copy-descriptor (removed)

🗑️ decode-uri-component (removed)

🗑️ define-property (removed)

🗑️ expand-brackets (removed)

🗑️ extend-shallow (removed)

🗑️ extglob (removed)

🗑️ for-in (removed)

🗑️ fragment-cache (removed)

🗑️ get-value (removed)

🗑️ has-value (removed)

🗑️ has-values (removed)

🗑️ is-accessor-descriptor (removed)

🗑️ is-buffer (removed)

🗑️ is-data-descriptor (removed)

🗑️ is-descriptor (removed)

🗑️ is-extendable (removed)

🗑️ is-plain-object (removed)

🗑️ isobject (removed)

🗑️ map-cache (removed)

🗑️ map-visit (removed)

🗑️ mixin-deep (removed)

🗑️ nanomatch (removed)

🗑️ object-copy (removed)

🗑️ object-visit (removed)

🗑️ object.pick (removed)

🗑️ pascalcase (removed)

🗑️ posix-character-classes (removed)

🗑️ regex-not (removed)

🗑️ repeat-element (removed)

🗑️ repeat-string (removed)

🗑️ resolve-url (removed)

🗑️ ret (removed)

🗑️ safe-regex (removed)

🗑️ set-value (removed)

🗑️ snapdragon (removed)

🗑️ snapdragon-node (removed)

🗑️ snapdragon-util (removed)

🗑️ source-map (removed)

🗑️ source-map-resolve (removed)

🗑️ source-map-url (removed)

🗑️ split-string (removed)

🗑️ static-extend (removed)

🗑️ to-object-path (removed)

🗑️ to-regex (removed)

🗑️ union-value (removed)

🗑️ unset-value (removed)

🗑️ urix (removed)

🗑️ use (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)