CVE-2022-31051

Name of the Vulnerable Software and Affected Versions semantic-release versions prior to 19.0.3

Description The issue concerns the accidental disclosure of secrets in semantic-release, an open source npm package for automated version management and package publishing. Secrets that would normally be masked by semantic-release can be disclosed if they contain characters excluded from URI encoding by encodeURI. This occurrence is limited to execution contexts where push access to the related repository requires modifying the repository URL to inject credentials.

Recommendations For versions prior to 19.0.3, upgrade to version 19.0.3 to resolve the issue. As a temporary workaround for users unable to upgrade, ensure that secrets without characters excluded from encoding with encodeURI when included in a URL are already masked properly.