ESLint version 3.9.0 is a minor release following 3.8.1 in the popular JavaScript linting tool. Both versions share the same core purpose: AST-based pattern checking for identifying and enforcing code style and best practices. Key dependencies like glob, levn, chalk, escope, espree, lodash, and js-yaml remain consistent, indicating significant architectural stability. Developers can expect familiar behavior in core linting functionalities.
The most notable difference between the two versions lies in the updated dependencies. Shelljs has moved from version 0.6.0 to 0.7.5 and Mock-fs moved from 3.10.0 to 3.11.0 in the devDependencies signifying potential improvements in shell scripting capabilities during development workflows and mocking functionalities. These updates suggest enhancements and bug fixes in underlying tools, ultimately benefitting ESLint's stability and performance. While the core linter remains largely the same regarding the javascript code evaluation.
For developers, upgrading from 3.8.1 to 3.9.0 should be a straightforward process, given the preservation of core functionalities. However, thoroughly testing the upgrade, especially in projects heavily relying on shelljs or mock-fs is crucial. ESLint continues providing configuration options, allowing users to customize rules to match their project's styling conventions. Stay updated with the ESLint changelog for the complete update details and to fully leverage all improvements. This tool is a must-have to automatically improve js code quality and make it more readable.
All the vulnerabilities related to the version 3.9.0 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
