Eslint-utils version 1.4.0 represents an evolution of the utility library designed to simplify ESLint plugin development. A key difference compared to the previous stable version, 1.3.1, is the introduction of a dependency on eslint-visitor-keys version ^1.0.0. This addition likely streamlines the process of traversing the Abstract Syntax Tree (AST) within ESLint rules, promoting more efficient and accurate code analysis.
Another significant update lies within the development dependencies. Version 1.4.0 upgrades several key tools, including @mysticatea/eslint-plugin (from ^5.0.1 to ^10.0.3), eslint (from ^5.0.1 to ^5.16.0), and espree (from ^4.0.0 to ^5.0.1). These upgrades suggest improvements in testing rigor, code linting capabilities, and JavaScript parsing accuracy, ultimately ensuring the eslint-utils library remains contemporary with the evolving JavaScript ecosystem. Furthermore, nyc was also updated (from ^12.0.2 to ^13.0.1), and rollup (from ^0.62.0 to ^1.16.7) indicating improvements/bug fixes, and enhanced module bundling, respectively.
Developers leveraging eslint-utils benefit from these improvements by gaining access to more robust and dependable tools for crafting custom ESLint rules. These updates collectively enhance the performance and reliability of ESLint plugins built using this library, leading to more effective and precise code quality checks.
All the vulnerabilities related to the version 1.4.0 of the package
Arbitrary Code Execution in eslint-utils
Versions of eslint-utils >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The getStringIfConstant and getPropertyName functions are not affected.
Upgrade to version 1.4.1 or later.
