		@@ -0,1 +1,16 @@
		# v4.0.4 (Tue Jan 05 2021)

		#### 🐛 Bug Fix

		- Fix build + lint [#68](https://github.com/domharrington/node-gitlog/pull/68) ([@hipstersmoothie](https://github.com/hipstersmoothie))
		- fix lint and run build/test/lint on PRs [#66](https://github.com/domharrington/node-gitlog/pull/66) ([@hipstersmoothie](https://github.com/hipstersmoothie))
		- Patch command injection vulnerability [#65](https://github.com/domharrington/node-gitlog/pull/65) ([@ron-checkmarx](https://github.com/ron-checkmarx))

		#### Authors: 2

		- Andrew Lisowski ([@hipstersmoothie](https://github.com/hipstersmoothie))
		- Ron ([@ron-checkmarx](https://github.com/ron-checkmarx))

		---

		# v4.0.3 (Mon Oct 05 2020)
		@@ -2,0 +17,0 @@

dist/gitlog.cjs.development.js

		@@ -62,3 +62,3 @@ 'use strict';

		function addOptional(command, options) {
		function addOptionalArguments(command, options) {
		var commandWithOptions = command;
		@@ -69,3 +69,3 @@ var cmdOptional = ["author", "since", "after", "until", "before", "committer"];
		if (options[cmdOptional[i]]) {
		commandWithOptions += " --" + cmdOptional[i] + "=\"" + options[cmdOptional[i]] + "\"";
		commandWithOptions.push("--" + cmdOptional[i] + "=" + options[cmdOptional[i]]);
		}
		@@ -144,22 +144,22 @@ }

		function createCommand(options) {
		function createCommandArguments(options) {
		// Start constructing command
		var command = "git log -l0 ";
		var command = ["log", "-l0"];

		if (options.findCopiesHarder) {
		command += "--find-copies-harder ";
		command.push("--find-copies-harder");
		}

		if (options.all) {
		command += "--all ";
		command.push("--all");
		}

		if (options.includeMergeCommitFiles) {
		command += "-m ";
		command.push("-m");
		}

		command += "-n " + options.number;
		command = addOptional(command, options); // Start of custom format
		command.push("-n " + options.number);
		command = addOptionalArguments(command, options); // Start of custom format

		command += ' --pretty="@begin@'; // Iterating through the fields and adding them to the custom format
		var prettyArgument = "--pretty=@begin@"; // Iterating through the fields and adding them to the custom format

		@@ -172,3 +172,3 @@ if (options.fields) {

		command += delimiter + fieldMap[field];
		prettyArgument += delimiter + fieldMap[field];
		});
		@@ -178,6 +178,7 @@ } // Close custom format

		command += '@end@"'; // Append branch (revision range) if specified
		prettyArgument += "@end@";
		command.push(prettyArgument); // Append branch (revision range) if specified

		if (options.branch) {
		command += " " + options.branch;
		command.push(options.branch);
		} // File and file status
		@@ -187,11 +188,12 @@
		if (options.nameStatus && !options.fileLineRange) {
		command += " --name-status";
		command.push("--name-status");
		}

		if (options.fileLineRange) {
		command += " -L " + options.fileLineRange.startLine + "," + options.fileLineRange.endLine + ":" + options.fileLineRange.file;
		command.push("-L " + options.fileLineRange.startLine + "," + options.fileLineRange.endLine + ":" + options.fileLineRange.file);
		}

		if (options.file) {
		command += " -- " + options.file;
		command.push("--");
		command.push(options.file);
		}
		@@ -213,3 +215,3 @@

		var options = _extends({}, defaultOptions, {}, userOptions);
		var options = _extends({}, defaultOptions, userOptions);

		@@ -220,6 +222,6 @@ var execOptions = _extends({

		var command = createCommand(options);
		var commandArguments = createCommandArguments(options);

		if (!cb) {
		var stdout = child_process.execSync(command, execOptions).toString();
		var stdout = child_process.execFileSync("git", commandArguments, execOptions).toString();
		var commits = stdout.split("@begin@");
		@@ -235,3 +237,3 @@

		child_process.exec(command, execOptions, function (err, stdout, stderr) {
		child_process.execFile("git", commandArguments, execOptions, function (err, stdout, stderr) {
		debug("stdout", stdout);
		@@ -238,0 +240,0 @@ var commits = stdout.split("@begin@");

dist/gitlog.cjs.production.min.js

		@@ -1,2 +0,2 @@
		"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e,t=require("child_process"),r=require("fs");function n(){return(n=Object.assign\|\|function(e){for(var t=1;t<arguments.length;t++){var r=arguments[t];for(var n in r)Object.prototype.hasOwnProperty.call(r,n)&&(e[n]=r[n])}return e}).apply(this,arguments)}var i=((e=require("debug"))&&"object"==typeof e&&"default"in e?e.default:e)("gitlog"),a={hash:"%H",abbrevHash:"%h",treeHash:"%T",abbrevTreeHash:"%t",parentHashes:"%P",abbrevParentHashes:"%P",authorName:"%an",authorEmail:"%ae",authorDate:"%ai",authorDateRel:"%ar",committerName:"%cn",committerEmail:"%ce",committerDate:"%cd",committerDateRel:"%cr",subject:"%s",body:"%b",rawBody:"%B"},o=["status","files"],s={number:10,fields:["abbrevHash","hash","subject","authorName","authorDate"],nameStatus:!0,includeMergeCommitFiles:!1,findCopiesHarder:!1,all:!1},l=function(e,t,r){return e.map((function(e){var n=e.split("@end@"),a=n[0].split("\t");if(n[1]){var s=n[1].trimLeft().split("\n");""===s[s.length-1]&&s.pop(),s.map((function(e){return e.split("\t")})).forEach((function(e){for(var t=e[0],r=[t,e[e.length-1]],n=1,i=e.length-1;n<i;n++)"R"===t.slice(0,1)&&r.push("D",e[n]);a.push.apply(a,r)}))}i("commit",a),a.shift();var l={};return r&&o.forEach((function(e){l[e]=[]})),a.forEach((function(e,n){if(t[n])l[t[n]]=e;else if(r){var a=(n-t.length)%o.length;i("nameStatus",n-t.length,o.length,a,e);var s=l[o[a]];Array.isArray(s)&&s.push(e)}})),l}))};function u(e,u){if(!e.repo)throw new Error("Repo required!");if(!r.existsSync(e.repo))throw new Error("Repo location does not exist");var f=n({},s,{},e),c=n({cwd:e.repo},e.execOptions),h=function(e){var t="git log -l0 ";return e.findCopiesHarder&&(t+="--find-copies-harder "),e.all&&(t+="--all "),e.includeMergeCommitFiles&&(t+="-m "),t=function(e,t){for(var r=e,n=["author","since","after","until","before","committer"],i=n.length;i--;)t[n[i]]&&(r+=" --"+n[i]+'="'+t[n[i]]+'"');return r}(t+="-n "+e.number,e),t+=' --pretty="@begin@',e.fields&&e.fields.forEach((function(e){if(!a[e]&&!o.includes(e))throw new Error("Unknown field: "+e);t+="\t"+a[e]})),t+='@end@"',e.branch&&(t+=" "+e.branch),e.nameStatus&&!e.fileLineRange&&(t+=" --name-status"),e.fileLineRange&&(t+=" -L "+e.fileLineRange.startLine+","+e.fileLineRange.endLine+":"+e.fileLineRange.file),e.file&&(t+=" -- "+e.file),i("command",e.execOptions,t),t}(f);if(!u){var m=t.execSync(h,c).toString().split("@begin@");return""===m[0]&&m.shift(),i("commits",m),l(m,f.fields,f.nameStatus)}t.exec(h,c,(function(e,t,r){i("stdout",t);var n=t.split("@begin@");""===n[0]&&n.shift(),i("commits",n),u(r\|\|e,l(n,f.fields,f.nameStatus))}))}exports.default=u,exports.gitlogPromise=function(e){return new Promise((function(t,r){u(e,(function(e,n){e?r(e):t(n)}))}))};
		"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e,t=require("child_process"),r=require("fs");function n(){return(n=Object.assign\|\|function(e){for(var t=1;t<arguments.length;t++){var r=arguments[t];for(var n in r)Object.prototype.hasOwnProperty.call(r,n)&&(e[n]=r[n])}return e}).apply(this,arguments)}var i=((e=require("debug"))&&"object"==typeof e&&"default"in e?e.default:e)("gitlog"),a={hash:"%H",abbrevHash:"%h",treeHash:"%T",abbrevTreeHash:"%t",parentHashes:"%P",abbrevParentHashes:"%P",authorName:"%an",authorEmail:"%ae",authorDate:"%ai",authorDateRel:"%ar",committerName:"%cn",committerEmail:"%ce",committerDate:"%cd",committerDateRel:"%cr",subject:"%s",body:"%b",rawBody:"%B"},s=["status","files"],o={number:10,fields:["abbrevHash","hash","subject","authorName","authorDate"],nameStatus:!0,includeMergeCommitFiles:!1,findCopiesHarder:!1,all:!1},u=function(e,t,r){return e.map((function(e){var n=e.split("@end@"),a=n[0].split("\t");if(n[1]){var o=n[1].trimLeft().split("\n");""===o[o.length-1]&&o.pop(),o.map((function(e){return e.split("\t")})).forEach((function(e){for(var t=e[0],r=[t,e[e.length-1]],n=1,i=e.length-1;n<i;n++)"R"===t.slice(0,1)&&r.push("D",e[n]);a.push.apply(a,r)}))}i("commit",a),a.shift();var u={};return r&&s.forEach((function(e){u[e]=[]})),a.forEach((function(e,n){if(t[n])u[t[n]]=e;else if(r){var a=(n-t.length)%s.length;i("nameStatus",n-t.length,s.length,a,e);var o=u[s[a]];Array.isArray(o)&&o.push(e)}})),u}))};function l(e,l){if(!e.repo)throw new Error("Repo required!");if(!r.existsSync(e.repo))throw new Error("Repo location does not exist");var f=n({},o,e),c=n({cwd:e.repo},e.execOptions),h=function(e){var t=["log","-l0"];e.findCopiesHarder&&t.push("--find-copies-harder"),e.all&&t.push("--all"),e.includeMergeCommitFiles&&t.push("-m"),t.push("-n "+e.number),t=function(e,t){for(var r=e,n=["author","since","after","until","before","committer"],i=n.length;i--;)t[n[i]]&&r.push("--"+n[i]+"="+t[n[i]]);return r}(t,e);var r="--pretty=@begin@";return e.fields&&e.fields.forEach((function(e){if(!a[e]&&!s.includes(e))throw new Error("Unknown field: "+e);r+="\t"+a[e]})),t.push(r+="@end@"),e.branch&&t.push(e.branch),e.nameStatus&&!e.fileLineRange&&t.push("--name-status"),e.fileLineRange&&t.push("-L "+e.fileLineRange.startLine+","+e.fileLineRange.endLine+":"+e.fileLineRange.file),e.file&&(t.push("--"),t.push(e.file)),i("command",e.execOptions,t),t}(f);if(!l){var p=t.execFileSync("git",h,c).toString().split("@begin@");return""===p[0]&&p.shift(),i("commits",p),u(p,f.fields,f.nameStatus)}t.execFile("git",h,c,(function(e,t,r){i("stdout",t);var n=t.split("@begin@");""===n[0]&&n.shift(),i("commits",n),l(r\|\|e,u(n,f.fields,f.nameStatus))}))}exports.default=l,exports.gitlogPromise=function(e){return new Promise((function(t,r){l(e,(function(e,n){e?r(e):t(n)}))}))};
		//# sourceMappingURL=gitlog.cjs.production.min.js.map

dist/gitlog.esm.js

		@@ -1,2 +0,2 @@
		import { execSync, exec } from 'child_process';
		import { execFileSync, execFile } from 'child_process';
		import { existsSync } from 'fs';
		@@ -56,3 +56,3 @@ import createDebugger from 'debug';

		function addOptional(command, options) {
		function addOptionalArguments(command, options) {
		var commandWithOptions = command;
		@@ -63,3 +63,3 @@ var cmdOptional = ["author", "since", "after", "until", "before", "committer"];
		if (options[cmdOptional[i]]) {
		commandWithOptions += " --" + cmdOptional[i] + "=\"" + options[cmdOptional[i]] + "\"";
		commandWithOptions.push("--" + cmdOptional[i] + "=" + options[cmdOptional[i]]);
		}
		@@ -138,22 +138,22 @@ }

		function createCommand(options) {
		function createCommandArguments(options) {
		// Start constructing command
		var command = "git log -l0 ";
		var command = ["log", "-l0"];

		if (options.findCopiesHarder) {
		command += "--find-copies-harder ";
		command.push("--find-copies-harder");
		}

		if (options.all) {
		command += "--all ";
		command.push("--all");
		}

		if (options.includeMergeCommitFiles) {
		command += "-m ";
		command.push("-m");
		}

		command += "-n " + options.number;
		command = addOptional(command, options); // Start of custom format
		command.push("-n " + options.number);
		command = addOptionalArguments(command, options); // Start of custom format

		command += ' --pretty="@begin@'; // Iterating through the fields and adding them to the custom format
		var prettyArgument = "--pretty=@begin@"; // Iterating through the fields and adding them to the custom format

		@@ -166,3 +166,3 @@ if (options.fields) {

		command += delimiter + fieldMap[field];
		prettyArgument += delimiter + fieldMap[field];
		});
		@@ -172,6 +172,7 @@ } // Close custom format

		command += '@end@"'; // Append branch (revision range) if specified
		prettyArgument += "@end@";
		command.push(prettyArgument); // Append branch (revision range) if specified

		if (options.branch) {
		command += " " + options.branch;
		command.push(options.branch);
		} // File and file status
		@@ -181,11 +182,12 @@
		if (options.nameStatus && !options.fileLineRange) {
		command += " --name-status";
		command.push("--name-status");
		}

		if (options.fileLineRange) {
		command += " -L " + options.fileLineRange.startLine + "," + options.fileLineRange.endLine + ":" + options.fileLineRange.file;
		command.push("-L " + options.fileLineRange.startLine + "," + options.fileLineRange.endLine + ":" + options.fileLineRange.file);
		}

		if (options.file) {
		command += " -- " + options.file;
		command.push("--");
		command.push(options.file);
		}
		@@ -207,3 +209,3 @@

		var options = _extends({}, defaultOptions, {}, userOptions);
		var options = _extends({}, defaultOptions, userOptions);

		@@ -214,6 +216,6 @@ var execOptions = _extends({

		var command = createCommand(options);
		var commandArguments = createCommandArguments(options);

		if (!cb) {
		var stdout = execSync(command, execOptions).toString();
		var stdout = execFileSync("git", commandArguments, execOptions).toString();
		var commits = stdout.split("@begin@");
		@@ -229,3 +231,3 @@

		exec(command, execOptions, function (err, stdout, stderr) {
		execFile("git", commandArguments, execOptions, function (err, stdout, stderr) {
		debug("stdout", stdout);
		@@ -232,0 +234,0 @@ var commits = stdout.split("@begin@");

dist/index.d.ts

		/// <reference types="node" />
		import { ExecSyncOptions, ExecException } from "child_process";
		import { ExecFileSyncOptions, ExecException } from "child_process";
		declare const fieldMap: {
		@@ -98,3 +98,3 @@ readonly hash: "%H";
		/** Specify some options to be passed to the .exec() method */
		execOptions?: ExecSyncOptions;
		execOptions?: ExecFileSyncOptions;
		}
		@@ -101,0 +101,0 @@ declare type GitlogError = ExecException \| string \| null;

package.json

		{
		"name": "gitlog",
		"version": "4.0.3",
		"version": "4.0.4",
		"description": "Git log parser for Node.JS",
		@@ -12,3 +12,4 @@ "module": "dist/gitlog.esm.js",
		"test": "tsdx test",
		"lint": "tsdx lint src test"
		"lint": "tsdx lint src test",
		"format": "prettier --write ."
		},
		@@ -33,17 +34,17 @@ "publishConfig": {
		"devDependencies": {
		"@auto-it/all-contributors": "^9.26.5",
		"@auto-it/first-time-contributor": "^9.26.5",
		"@auto-it/all-contributors": "^10.5.0",
		"@auto-it/first-time-contributor": "^10.5.0",
		"@auto-it/pr-body-labels": "^10.5.0",
		"@types/debug": "^4.1.5",
		"@types/jest": "^25.2.1",
		"all-contributors-cli": "^6.14.1",
		"auto": "^9.26.5",
		"husky": "^4.2.3",
		"lint-staged": "^10.1.2",
		"prettier": "^2.0.4",
		"tsdx": "^0.13.1",
		"typescript": "^3.8.3"
		"auto": "^10.5.0",
		"husky": "^4.3.6",
		"lint-staged": "^10.5.3",
		"prettier": "^2.2.1",
		"tsdx": "^0.13.3",
		"typescript": "^3.9.7"
		},
		"dependencies": {
		"debug": "^4.1.1",
		"tslib": "^1.11.1"
		"tslib": "^1.14.1"
		},
		@@ -56,3 +57,3 @@ "husky": {
		"lint-staged": {
		"*.{js,css,md,ts,json}": "prettier --write"
		"*.{js,css,md,ts,json}": "npm run format"
		},
		@@ -64,5 +65,6 @@ "auto": {
		"first-time-contributor",
		"all-contributors"
		"all-contributors",
		"pr-body-labels"
		]
		}
		}

README.md

		@@ -247,2 +247,3 @@ # node-gitlog
		<td align="center"><a href="https://salmonmode.github.io/"><img src="https://avatars3.githubusercontent.com/u/13908130?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Chris NeJame</b></sub></a><br /><a href="https://github.com/domharrington/node-gitlog/commits?author=SalmonMode" title="Documentation">📖</a> <a href="https://github.com/domharrington/node-gitlog/commits?author=SalmonMode" title="Tests">⚠️</a> <a href="https://github.com/domharrington/node-gitlog/commits?author=SalmonMode" title="Code">💻</a></td>
		<td align="center"><a href="https://github.com/ron-checkmarx"><img src="https://avatars2.githubusercontent.com/u/67099202?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Ron</b></sub></a><br /><a href="https://github.com/domharrington/node-gitlog/commits?author=ron-checkmarx" title="Tests">⚠️</a> <a href="https://github.com/domharrington/node-gitlog/commits?author=ron-checkmarx" title="Code">💻</a></td>
		</tr>
		@@ -249,0 +250,0 @@ </table>

src/index.ts

		@@ -1,2 +0,7 @@
		import { exec, execSync, ExecSyncOptions, ExecException } from "child_process";
		import {
		execFile,
		execFileSync,
		ExecFileSyncOptions,
		ExecException,
		} from "child_process";
		import { existsSync } from "fs";
		@@ -116,3 +121,3 @@ import createDebugger from "debug";
		/** Specify some options to be passed to the .exec() method */
		execOptions?: ExecSyncOptions;
		execOptions?: ExecFileSyncOptions;
		}
		@@ -130,4 +135,4 @@
		/** Add optional parameter to command */
		function addOptional<Field extends string = DefaultField>(
		command: string,
		function addOptionalArguments<Field extends string = DefaultField>(
		command: string[],
		options: GitlogOptions<Field>
		@@ -147,3 +152,3 @@ ) {
		if (options[cmdOptional[i]]) {
		commandWithOptions += ` --${cmdOptional[i]}="${options[cmdOptional[i]]}"`;
		commandWithOptions.push(`--${cmdOptional[i]}=${options[cmdOptional[i]]}`);
		}
		@@ -240,26 +245,26 @@ }
		/** Run "git log" and return the result as JSON */
		function createCommand<T extends CommitField \| DefaultField = DefaultField>(
		options: GitlogOptions<T>
		) {
		function createCommandArguments<
		T extends CommitField \| DefaultField = DefaultField
		>(options: GitlogOptions<T>) {
		// Start constructing command
		let command = "git log -l0 ";
		let command: string[] = ["log", "-l0"];

		if (options.findCopiesHarder) {
		command += "--find-copies-harder ";
		command.push("--find-copies-harder");
		}

		if (options.all) {
		command += "--all ";
		command.push("--all");
		}

		if (options.includeMergeCommitFiles) {
		command += "-m ";
		command.push("-m");
		}

		command += `-n ${options.number}`;
		command.push(`-n ${options.number}`);

		command = addOptional(command, options);
		command = addOptionalArguments(command, options);

		// Start of custom format
		command += ' --pretty="@begin@';
		let prettyArgument: string = "--pretty=@begin@";

		@@ -273,3 +278,3 @@ // Iterating through the fields and adding them to the custom format

		command += delimiter + fieldMap[field];
		prettyArgument += delimiter + fieldMap[field];
		});
		@@ -279,7 +284,8 @@ }
		// Close custom format
		command += '@end@"';
		prettyArgument += "@end@";
		command.push(prettyArgument);

		// Append branch (revision range) if specified
		if (options.branch) {
		command += ` ${options.branch}`;
		command.push(options.branch);
		}
		@@ -289,11 +295,14 @@
		if (options.nameStatus && !options.fileLineRange) {
		command += " --name-status";
		command.push("--name-status");
		}

		if (options.fileLineRange) {
		command += ` -L ${options.fileLineRange.startLine},${options.fileLineRange.endLine}:${options.fileLineRange.file}`;
		command.push(
		`-L ${options.fileLineRange.startLine},${options.fileLineRange.endLine}:${options.fileLineRange.file}`
		);
		}

		if (options.file) {
		command += ` -- ${options.file}`;
		command.push("--");
		command.push(options.file);
		}
		@@ -352,6 +361,10 @@
		const execOptions = { cwd: userOptions.repo, ...userOptions.execOptions };
		const command = createCommand(options);
		const commandArguments = createCommandArguments(options);

		if (!cb) {
		const stdout = execSync(command, execOptions).toString();
		const stdout = execFileSync(
		"git",
		commandArguments,
		execOptions
		).toString();
		const commits = stdout.split("@begin@");
		@@ -367,3 +380,3 @@

		exec(command, execOptions, (err, stdout, stderr) => {
		execFile("git", commandArguments, execOptions, (err, stdout, stderr) => {
		debug("stdout", stdout);
		@@ -370,0 +383,0 @@ const commits = stdout.split("@begin@");

test/gitlog.test.ts

		/* eslint-disable handle-callback-err, no-unused-expressions */

		import fs from "fs";
		import { exec, execSync } from "child_process";
		@@ -323,2 +324,19 @@ import gitlog, { gitlogPromise } from "../src";

		it("should not execute shell commands", (done) => {
		gitlog(
		{
		repo: testRepoLocation,
		branch: "$(touch ../exploit)",
		},
		() => {
		const exists = fs.existsSync("./test/exploit");
		expect(exists).toBe(false);
		if (exists) {
		fs.unlinkSync("./test/exploit");
		}
		done();
		}
		);
		});

		afterAll(() => {
		@@ -325,0 +343,0 @@ execInTestDir(`${__dirname}/delete-repo.sh`);

.all-contributorsrc