Eslint-release is a Node.js tool designed to streamline the release process for ESLint plugins and configurations. Versions 0.1.5 and 0.2.0 share a common foundation, both offering utilities for automating tasks like updating version numbers, generating changelogs, and publishing to npm. They both rely on the same core dependencies, including EJS for templating, semver for version management, and shelljs for executing shell commands. Both versions were released on the same date based on the release date provided, which could mean they contained similar changes on the same day.
The primary difference lies in the versions and their release date based on the data, with version 0.2.0 building upon the stability and functionality found in 0.1.5. Developers using eslint-release can leverage its features to automate tedious release steps, ensuring consistency and reducing the risk of errors. This includes tasks such as updating package.json with the new version number, generating release notes based on commit history, applying necessary code fixes with linefix, verifying licenses using npm-license and other custom tasks. The tool is particularly valuable for maintainers of ESLint-related projects who want to ensure a smooth and reliable release cycle. To get the latest improvements, the later version 0.2.0 is recommended. The underlying functionalities remain similar, so upgrading involves minimal changes to existing workflows.
All the vulnerabilities related to the version 0.2.0 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
