ESLint version 0.10.2 represents a minor iteration over its predecessor, 0.10.1, primarily distinguished by its release date, landing on December 12, 2014, roughly a week after version 0.10.1's release on December 6, 2014. Digging into this timeframe suggests the update likely addresses bug fixes, performance enhancements, or minor feature tweaks rather than a substantial overhaul, because the dependencies and devDependencies sections remain identical between the two versions. Developers should consider that a quick successive update generally indicates the correction of recent issues or stability improvements, making upgrading a worthwhile consideration for those already using 0.10.1.
For those new to ESLint, both versions offer the same core functionality: an Esprima-based pattern checker for JavaScript, designed to help enforce coding standards and prevent errors. The utility depends on a suite of tools including Chalk for colorful console output, Esprima for parsing JavaScript, and js-yaml for handling YAML configuration files. It also relies on developer tools like Mocha and Chai for testing, and Browserify for bundling. These dependencies are critical for ESLint's operation, but the parity between the two versions suggests no change in the underlying requirements or capabilities provided by the package. Users should be aware of the package's license, MIT, promoting open use and contribution.
All the vulnerabilities related to the version 0.10.2 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.