Eslint version 0.1.2 represents an incremental upgrade over version 0.1.1, both being Esprima-based JavaScript pattern checkers. A notable change lies in the project's tooling and development dependencies. Version 0.1.2 adopts a Grunt-centric build process, introducing a suite of Grunt plugins for tasks like linting (grunt-contrib-jshint), code coverage (grunt-istanbul, grunt-istanbul-coverage), testing (grunt-mocha-test, grunt-vows-runner), and general utility (grunt-contrib-copy, grunt-contrib-clean). This shift suggests a move towards a more automated and standardized build workflow.
Furthermore, version 0.1.2 replaces the direct dependency on JSHint found in 0.1.1 with grunt-contrib-jshint, indicating a change in how linting is handled within the project; potentially integrating it more tightly into the build process. Another key difference is the removal of istanbul as a direct dev dependency, replaced by Grunt-based istanbul tools, offering more flexibility during development. These changes aim at streamlining the development process by leveraging the Grunt ecosystem.
For developers using Eslint, version 0.1.2 indicates a potentially more robust and well-tested codebase, thanks to the enhanced testing and coverage tools employed during development. Version 0.1.2 relies on a more modern node environment.
All the vulnerabilities related to the version 0.1.2 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
