ESLint 2.13.1 is a minor version update to the popular JavaScript linting tool, building upon the foundation laid by version 2.13.0. Both versions share the same core functionality as AST-based pattern checkers, ensuring code quality and consistency across JavaScript projects. They offer a wide range of features, including customizable linting rules, support for various JavaScript syntax versions (ES5, ES6+), and integration with popular code editors and build tools. Developers benefit from consistent code style, early detection of potential errors, and improved code readability.
The dependencies and devDependencies remain largely unchanged between the two versions, indicating a focus on stability and incremental improvements rather than major feature additions. Although the specific changes between 2.13.0 and 2.13.1 are not detailed here, point releases often address bug fixes, performance enhancements, and minor compatibility adjustments. For developers, this signifies a low-risk upgrade path.
When considering whether to upgrade from 2.13.0 to 2.13.1, developers should consult the official ESLint changelog or release notes for a comprehensive list of changes. Key areas to investigate are bug fixes relevant to their specific use cases, performance improvements that might enhance linting speed in large projects, and any modifications to default rules or configurations that could affect existing codebases. Given the minor version jump and shared dependencies, the upgrade is generally recommended for staying current and benefiting from the latest refinements to the tool.
All the vulnerabilities related to the version 2.13.1 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
