ESLint 2.4.0 is a minor release focusing on bug fixes and dependency updates, furthering its role as a vital tool for JavaScript code quality. Upgrading from version 2.3.0 offers a refined experience due to underlying improvements and is recommended.
A key difference lies within the dependencies. Specifically, escope has been updated from version 3.5.0 to 3.6.0, and estraverse from 4.1.1 to 4.2.0. These updates likely introduce improvements in ECMAScript syntax tree analysis and traversal, benefitting developers who rely on ESLint for advanced code analysis. While espree remains the same, these updates will likely improve the support for newer Javascript features and syntax analysis.
While the core functionality from a developer perspective regarding linting rules and configuration remains largely consistent, this update ensures compatibility and potentially enhanced performance. The use of updated dependencies allows for better parsing and analysis of modern JavaScript code, which helps in detecting more complex code errors/anti-patterns. Developers should check the changelog for escope and estraverse to understand the specific improvements. This version solidifies ESLint's position as a dependable and evolving tool for maintaining code consistency and preventing errors in JavaScript projects. Given the non-breaking nature, upgrading to 2.4.0 is recommended for all users of the ESLint library.
All the vulnerabilities related to the version 2.4.0 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
