Lint-staged version 14.0.1 is a minor patch release following closely on the heels of version 14.0.0, both designed to streamline linting of staged files within Git repositories. Both versions share the same core dependencies, including yaml, chalk, debug, execa, listr2, pidtree, commander, lilconfig, micromatch, and string-argv, ensuring consistent functionality for parsing configuration, adding color to the console, debugging, executing commands, managing task lists, handling process IDs, parsing command-line arguments, finding configuration files, matching file patterns, and parsing string arguments. Similarly, the developer dependencies for testing, linting, and code formatting, such as jest, husky, eslint, prettier, and related Babel plugins, remain the same, guaranteeing code quality and consistency across both versions.
The key difference lies in the dist object. Version 14.0.1 has a file count of 33 and an unpacked size of 113767 bytes whereas version 14.0.0 has a file count of 32 while the unpacked size is 113261 bytes. The release date is also worth noting because version 14.0.1 was released on 2023-08-21 while 14.0.0 was launched a week earlier on 2023-08-13. For developers already using lint-staged 14.0.0, upgrading to 14.0.1 is likely a low-risk move, potentially addressing minor issues and improvements. New users can confidently adopt either version, knowing they benefit from a well-maintained tool with active community support.
All the vulnerabilities related to the version 14.0.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
