Lint-staged, a popular tool for running linters on staged files, released version 15.1.0, building upon the solid base of version 15.0.2. While the core functionality remains the same – preventing messy commits by ensuring code quality before they're committed – several dependency updates bring notable improvements. Most notably, the newer version upgrades eslint from 8.51.0 to 8.53.0, @babel/core from 7.23.2 to 7.23.3, @babel/eslint-parser from 7.22.15 to 7.23.3, @commitlint/cli from 17.8.0 to 18.4.0, and @babel/preset-env from 7.23.2 to 7.23.3. These updates likely include bug fixes, performance enhancements, and potentially new linting rules or language feature support, ensuring a more robust and up-to-date linting experience.
Developers leveraging lint-staged should upgrade to version 15.1.0 to benefit from these improvements in underlying linting tools. The upgrade to @commitlint/cli is a key change, as this unlocks new commit message linting capabilities and alignment with the latest commitlint standards. This allows for better enforcement of commit message conventions and ultimately a cleaner project history. While seemingly minor, these dependency bumps collectively contribute to a more polished and reliable linting workflow, catching potential issues earlier in the development cycle and promoting code consistency. If you're looking to improve code quality and streamline your git workflow with pre-commit hooks, lint-staged could be a vital asset.
All the vulnerabilities related to the version 15.1.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
