ESLint version 0.4.2 is a minor update to the popular JavaScript linting tool, building upon the foundation established by version 0.4.1. Both versions share the same core dependencies, leveraging packages like glob for file system traversal, chalk for stylized console output, and esprima for JavaScript parsing. The development dependencies also remain consistent, with tools like mocha and chai facilitating testing, browserify handling module bundling, and istanbul providing code coverage analysis. This suggests a focus on stability and incremental improvements rather than major architectural changes.
The key difference lies in the release date, with version 0.4.2 being published approximately a week after 0.4.1. Developers upgrading from 0.4.1 to 0.4.2 can anticipate bug fixes, subtle performance improvements or minor adjustments to the existing rule set. The consistent dependency list implies that the core functionality and API remain largely unchanged, minimizing disruption during the update.
For developers already using ESLint, upgrading to 0.4.2 is likely a low-risk way to benefit from the latest refinements. Those new to ESLint can confidently choose either version to start, as they offer a robust and extensible framework for enforcing code style and identifying potential errors in JavaScript projects. The extensive set of development dependencies highlights the project's commitment to quality and thorough testing. While the specific changes between these versions are not explicitly detailed in the metadata, the rapid release cadence signifies active maintenance and continuous enhancement of the ESLint tool.
All the vulnerabilities related to the version 0.4.2 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.