Version 1.1.0, with the merge commit fix, is tagged, but I can't see it on npm. Is it published anywhere?

It is returning {} for merge commits.

Hello, @JPeer264!
We use this library in our project. However, there is a bug in the package on this line.
Blows up if info[1] is empty.

I've fixed it locally. Can I make PR?

Hi,

We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious command once he controls the hash content.

Here is the proof of concept.

const gitCommitInfo = require('git-commit-info')
// information of the latest commit in ./my_repo
gitCommitInfo({
  cwd: './my_repo',
  commit: '82442c2405804d7aa44e7bedbc0b93bb17707626' + " || touch ci ||", // a malicious file named ci will be crated
});

Please consider fixing it. thanks!

👋 Hello, @JPeer264 - a potential medium severity Command Injection - Generic (CWE-77) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-JPeer264/node-git-commit-info for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.