ESLint version 2.5.1 is a patch release addressing issues found in the preceding version 2.5.0, both being AST-based pattern checkers for JavaScript. Inspecting the package data, the core dependencies remain consistent between the two versions, including vital tools like glob, chalk, lodash, and espree for parsing. The development dependencies, crucial for testing and building the library, also remain identical. This suggests that the changes between 2.5.0 and 2.5.1 are most likely bug fixes, minor tweaks, or adjustments to internal functionalities, rather than the introduction of new features or significant dependency updates.
Developers leveraging ESLint for code linting and style enforcement should consider upgrading to version 2.5.1 from 2.5.0 to benefit from these refinements, ensuring a more stable and reliable linting experience. Given the identical dependency lists and version numbers, the update likely represents an uncomplicated and low-risk upgrade path.
While the feature-set appears congruent between the versions, the patch release signifies a commitment to quality and addresses real-world application issues discovered post-release of 2.5.0. For projects where consistent code quality is paramount, staying current with the latest patch versions of core developer tools like ESLint is a recommended practice.
All the vulnerabilities related to the version 2.5.1 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
