Skip to content

Comments

[Fix]: Resolve Security Vulnerability by Refactoring Changelog Workflow#46

Open
theMasudRana wants to merge 2 commits intodevelopfrom
fix/dependabot-issues
Open

[Fix]: Resolve Security Vulnerability by Refactoring Changelog Workflow#46
theMasudRana wants to merge 2 commits intodevelopfrom
fix/dependabot-issues

Conversation

@theMasudRana
Copy link
Collaborator

@theMasudRana theMasudRana commented Feb 20, 2026

1. Executive Summary

This PR resolves a ** Moderate Severity** Dependabot alert (Argument Injection in @conventional-changelog/git-client) by removing the package from our permanent dependency tree and switching to an on-demand execution model via npx.

2. The Dependency Deadlock

We attempted to resolve this through standard version bumps and npm overrides, but encountered a technical "deadlock":

  • Private Registry Blocker: Our current dependency tree (likely via recent @wordpress updates) is attempting to resolve @wordpress/vips, a private Automattic package.
  • 404 Errors: Since this package is not on the public npm registry and our environment lacks the specific enterprise access tokens for it, npm fails to regenerate a package-lock.json whenever we attempt to update or add packages.
  • The Result: We were unable to patch the security vulnerability using standard methods because the registry error crashed the installation process.

3. The Solution: On-Demand Execution

To bypass this blocker and eliminate the security risk, we have chosen to remove the dependency entirely:

  • Removal: conventional-changelog-cli has been uninstalled from devDependencies.
  • Runtime Execution: The changelog script has been updated to use npx.

Benefits of this approach:

  1. Security: The vulnerable package is no longer stored in our package-lock.json, satisfying security audits.
  2. Registry Bypass: By removing the package instead of updating it, we avoid the registry resolution errors that were blocking our build.
  3. Latest Versions: npx ensures that when we generate a changelog, we are always using a temporary, patched version of the CLI.

4. Changes

  • package.json: Removed conventional-changelog-cli from devDependencies.
  • package.json: Updated scripts.changelog to:
    "changelog": "npx conventional-changelog-cli -p angular -i CHANGELOG.md -s"
  • package-lock.json: Dependency tree cleaned of the vulnerable @conventional-changelog/git-client.

Verification: Run npm run changelog to confirm the script still generates the CHANGELOG.md as expected.

@theMasudRana
refactor: update changelog script to use npx and remove conventional-…
b9702e2 
…changelog-cli dependency

- Changed the changelog script in package.json to use npx for conventional-changelog-cli.
- Removed conventional-changelog-cli from dependencies in package-lock.json.
- Cleaned up unnecessary dependencies related to conventional changelog generation.
@theMasudRana
chore: update CHANGELOG for version 1.0.1 with bug fixes and new feat…
ec94099 
…ures
@theMasudRana theMasudRana self-assigned this Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danish17 danish17 Awaiting requested review from danish17

Assignees

@theMasudRana theMasudRana

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theMasudRana