eslint, a popular JavaScript linting tool, saw a minor version bump from 2.7.0 to 2.8.0 in April 2016. Both versions share the same core purpose: analyzing JavaScript code for potential errors, enforcing coding styles, and promoting code quality. Developers rely on eslint to catch bugs early, maintain consistency across projects, and automate code review processes.
The dependencies listed are identical, indicating that the core functionality and tooling support remained consistent between these versions, but probably under the hood some minor fixes happened in the tool.
The devDependencies are also identical between the two, showcasing how similar versions they are to each other.
While the core functionality remained very similar, the release cadence is definitely noteworthy. The 2.8.0 version was published just 11 days after the previous one, so probably it was fixing some bug or very small missing feature or edge case fix. Given the quick release cycle, migrating should be painless for existing users given the common dependencies. Developers could upgrade their tooling to the later version with very minimal risks of breaking changes while improving stability and potentially fix edge cases in their code.
These versions continue to be valuable for projects targeting older environments, as newer versions of eslint often drop support for older Node.js versions or rely on more recent ECMAScript features. Developers using older versions of eslint gain access to updated rule implementations, bug fixes, and performance improvements without having to overhaul their existing configurations.
All the vulnerabilities related to the version 2.8.0 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
