Eslint version 0.3.0 introduces valuable updates for JavaScript developers seeking a robust linting tool, building upon the foundation of version 0.2.0. Both versions offer Esprima-based pattern checking, but 0.3.0 expands its capabilities with new dependencies and refined tooling. A key addition is the "glob" dependency, enabling more flexible and comprehensive file matching for linting. Furthermore, the inclusion of "chalk" brings colorful terminal output, enhancing the developer experience by making linting results more visually accessible. "text-table" aid in formatting output, making the results easier to read, and "strip-json-comments" ensure that only valid json are used to configure the linter.
Significant changes are also present in the development dependencies. Version 0.3.0 replaces "jshint" and "commonjs-everywhere", reflecting a shift in the testing and build processes. The new dependencies "browserify", "dateformat", and "mocha-phantomjs" suggest enhanced browser-based testing capabilities.
Overall, version 0.3.0 appears to provide a more refined and integrated linting experience for developers. The updated dependencies point to a more modern and feature-rich tool, potentially offering improved performance, more effective file handling, and a more user-friendly interface compared to version 0.2.0. Developers updating from 0.2.0 should carefully review the changes in dependencies to ensure compatibility with their existing workflows.
All the vulnerabilities related to the version 0.3.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).