The eslint-plugin-prettier package, version 1.0.0, marks a significant early iteration in the project's life. This version, released in January 2017, provides a way to integrate Prettier's code formatting directly into ESLint workflows, allowing developers to automatically format code using Prettier as part of their linting process. It aims to catch and correct code style issues automatically, thus enforcing consistent code formatting across a project.
This version relies on Prettier version 0.11.0, which is quite old by today's standards and lacks many of the formatting features and configuration options available in newer Prettier releases. It's supported by ESLint version 3.14.1 and includes eslint-plugin-node and eslint-plugin-eslint-plugin as development dependencies, suggesting a focus on developing and testing the plugin itself in a Node.js environment.
For developers considering using this specific version, it's crucial to understand that newer versions provide better Prettier integration, support more recent ESLint features, and include bug fixes and performance improvements. Using version 1.0.0 might be suitable for legacy projects locked into older ESLint and Prettier environments, but for new projects or those seeking the latest features and best performance, upgrading to a more recent version of eslint-plugin-prettier is highly recommended. Developers should also be aware of the dependency versions, especially Prettier, as the formatting rules will be determined by that older version.
All the vulnerabilities related to the version 1.0.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
