ESLint version 0.4.0 introduces several notable changes compared to its predecessor, version 0.3.0, making it a worthwhile update for JavaScript developers focused on code quality and maintainability. One significant addition is the inclusion of js-yaml, doctrine, and optionator as dependencies. These additions suggest enhanced capabilities in handling configuration files (likely for ESLint itself) and potential improvements in parsing and understanding JSDoc-style comments within the code, valuable for projects emphasizing documentation and API generation.
A subtle but important shift is the replacement of optimist with optionator for option parsing. optionator offers a more structured and potentially robust approach to managing command-line options for the ESLint CLI, which could lead to a better user experience when configuring ESLint rules and settings.
Furthermore, version 0.4.0 introduces eslint-tester as a development dependency and removes brfs and through. The inclusion of eslint-tester indicates a focus on improving the internal testing framework of ESLint, ensuring more reliable rule validation and contribution workflow, while the removed unecessary dependencies are streamlined.
The updates reflect a move towards more sophisticated configuration handling, potentially stricter code analysis, and a more robust internal testing environment. Developers upgrading to 0.4.0 can anticipate a more powerful and reliable linting experience, particularly beneficial for larger projects with complex configurations and style guides. The changes highlight the evolution of ESLint toward becoming a more comprehensive and developer-friendly tool for JavaScript code quality.
All the vulnerabilities related to the version 0.4.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.