Lint-staged is a popular npm package that helps developers automatically format and lint code before committing it. This prevents messy code from entering the repository and ensures consistent code quality across a project. Version 15.0.1 and 15.0.0 are very similar. The primary difference between the two releases appears to be the release date and potentially some minor internal changes, as reflected in the unpacked size of the package. Version 15.0.1 was released on October 15, 2023, while version 15.0.0 was released on October 14, 2023, a day earlier. The difference in 'unpackedSize', although small, suggests that bug fixes or minor optimizations might have been incorporated in the newest version.
For developers, lint-staged offers a streamlined workflow. By integrating with Git, it automatically identifies staged files and applies configured linters and formatters and it uses tools like ESLint and Prettier. It contributes to a clean commit history and reduces the workload of manual code reviews. Thanks to its simple configuration using the package.json or a dedicated config file, developers can easily customize the linting and formatting rules and using all the tools and plugins that they are used to. Updating from 15.0.0 to 15.0.1 is advisable to get the latest bug fixes.
All the vulnerabilities related to the version 15.0.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
