Lint-staged has released version 14.0.0, a minor update from the previous stable version 13.3.0. Both versions share the same core dependencies, including popular packages like yaml, chalk, debug, execa, listr2, pidtree, commander, lilconfig, micromatch, and string-argv, ensuring consistent functionality for linting staged files in Git repositories. The development dependencies also remain identical, featuring jest, husky, eslint, prettier, and various Babel-related tools, indicating a continued commitment to comprehensive testing and code quality. This means that developers upgrading from 13.3.0 to 14.0.0 shouldn't encounter major compatibility issues related to their existing development workflow.
The key difference between the two versions lies within the release date, with version 14.0.0 being published slightly later. This suggests that the update primarily includes bug fixes, minor improvements, or dependency updates that don't introduce breaking changes. For developers, this means a more polished and potentially more stable linting experience without requiring significant code modifications when upgrading. It's always recommended to review the changelog for lint-staged on its GitHub repository to gain a complete understanding of the specific changes introduced in version 14.0.0. This minor version bump signifies a continuing maintenance effort to improve the tool's reliability and usability for developers automating code quality checks in their Git workflows.
All the vulnerabilities related to the version 14.0.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
