Describe the bug
There is a vulnerability being reported by checkmarx/github/nist on the package conventional-recommended-bump before version 11.0.0.
https://devhub.checkmarx.com/cve-details/CVE-2025-59433/
I would like for commit-and-tag-version to patch in this version. It has some breaking changes over version 7, so I cannot reliably override the version of this nested package without application updates from commit-and-tag-version.
Current behavior
Vulnerability scanners, checkmarx specifically, are identifying this as a vulnerability.
Expected behavior
I would like for this to not happen. So our vulnerability scanning tools don't flag this as an issue we need to resolve. I have noticed that the other reports on github and NIST don't identify the package conventional-recommended-bump as the affected packages. npm audit is also not reporting this as an issue. It is possible that checkmarx is misidentifying this, but I would like for y'all to confirm.
Environment
commit-and-tag-version version(s): 12.7.1- Node/npm version: node 24.13.0, npm 11.6.2
- OS: mac/linux
Possible Solution
Additional context
Add any other context about the problem here. Or a screenshot if applicable
Describe the bug
There is a vulnerability being reported by checkmarx/github/nist on the package conventional-recommended-bump before version 11.0.0.
https://devhub.checkmarx.com/cve-details/CVE-2025-59433/
I would like for commit-and-tag-version to patch in this version. It has some breaking changes over version 7, so I cannot reliably override the version of this nested package without application updates from commit-and-tag-version.
Current behavior
Vulnerability scanners, checkmarx specifically, are identifying this as a vulnerability.
Expected behavior
I would like for this to not happen. So our vulnerability scanning tools don't flag this as an issue we need to resolve. I have noticed that the other reports on github and NIST don't identify the package conventional-recommended-bump as the affected packages. npm audit is also not reporting this as an issue. It is possible that checkmarx is misidentifying this, but I would like for y'all to confirm.
Environment
commit-and-tag-versionversion(s): 12.7.1Possible Solution
Additional context
Add any other context about the problem here. Or a screenshot if applicable