Lint-staged, a popular tool for running linters on staged git files, released version 15.0.2 shortly after 15.0.1, offering subtle but important improvements. While both versions share the core functionality of linting staged files, several dependency updates distinguish the newer release.
In version 15.0.2, the "yaml" dependency was bumped from 2.3.2 to 2.3.3 and listr2 from 7.0.1 to 7.0.2. On the development side, the @commitlint/cli was updated from 17.7.2 to 17.8.0 and @commitlint/config-conventional from 17.7.0 to 17.8.0. These updates likely include bug fixes, performance enhancements, and potentially new features within those respective packages, indirectly improving the robustness and efficiency of lint-staged. Developers integrating lint-staged into their workflow will benefit from these updated dependencies, ensuring compatibility and leveraging the latest improvements in the linting ecosystem. A developer that wants to stay as updated as possible with the best tools, will surely want to use the 15.0.2 version. Otherwise, 15.0.1 should still work fine nonetheless.
All the vulnerabilities related to the version 15.0.2 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
