Lint-staged has released version 13.3.0 following closely on the heels of 13.2.3, offering several notable updates for developers. The most apparent changes lie in the updated dependencies, reflecting an ongoing effort to stay current with supporting libraries. In version 13.3.0, yaml is updated to 2.3.1, chalk to 5.3.0, execa moves to 7.2.0, and commander jumps to version 11.0.0. As for the utilities useful for package maintainers, the devDependencies upgrades include bumping eslint to 8.46.0 and prettier to 3.0.1, along with associated plugin updates like eslint-plugin-prettier at 5.0.0 and eslint-config-prettier at 9.0.0.
Notably, version 13.2.3 had dependencies like cli-truncate, normalize-path, and object-inspect which have been removed from version 13.3.0 potentially indicating refactoring or the adoption of alternative solutions within the core code. The listr2 dependency was also bumped from ^5.0.7 to 6.6.1 suggesting improvements in task management and user interface during the linting process.
For developers already using lint-staged, upgrading to 13.3.0 means benefiting from the latest features and bug fixes in its dependencies and enjoying a more refined and robust linting experience. Also, the upgrade may involve some quick compatibility checks in configuration to accommodate the removal of direct dependencies and significant version bumps.
All the vulnerabilities related to the version 13.3.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
