ESLint version 0.11.0 is a minor update to the popular JavaScript linting tool, building upon the foundation laid by version 0.10.2. Both versions maintain the core functionality of providing an Esprima-based pattern checker, ensuring code quality and consistency across projects. However, a key difference lies in the updated dependency on espree. Version 0.11.0 upgrades to espree version ^1.4.0, while version 0.10.2 relies on esprima version ^1.2.2. This upgrade likely incorporates improvements and bug fixes within the espree parser, potentially impacting how ESLint analyzes JavaScript code.
For developers, this means that upgrading to ESLint 0.11.0 could lead to slight variations in linting results due to the enhanced parser. While the fundamental linting rules remain the same, nuanced differences in code interpretation might surface.
Another subtle change is the istanbul package's version, upgrading from 0.3.2 to 0.3.5. This might indicate slight improvements in the test coverage instrumentation.
Both versions share the same set of core dependencies and developer tooling, promising a smooth transition for existing users. The release date of version 0.11.0 also indicates that it is a newer version. Developers should review the changelog for espree version ^1.4.0 to understand the implications of this parsing update and tailor their ESLint configurations accordingly for optimal results.
All the vulnerabilities related to the version 0.11.0 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.