Lint-staged has released version 15.2.0, a minor update building upon the previous stable version 15.1.0. Both versions focus on linting files staged in Git, ensuring code quality and consistency before commits. A key difference lies in the listr2 dependency, which has been upgraded from version 7.0.2 to 8.0.0. This update to listr2 likely introduces enhanced task management and potentially improved output formatting during linting processes.
Developers will observe updates in the development dependencies, with eslint moving from version 8.53.0 to 8.55.0 and prettier from 3.0.3 to 3.1.0. These updates provide access to the latest linting and formatting rules, ensuring that code adheres to current best practices and style guides. @changesets/cli also sees an update from 2.26.2 to 2.27.1, and @commitlint/cli from 18.4.0 to 18.4.3 which could improve automated release management.
Several Babel-related dev dependencies like @babel/core, @babel/preset-env, and @babel/eslint-parser found in version 15.1.0 have been removed in 15.2.0, potentially indicating a shift in the build process or a simplification of the project's tooling. This cleanup could lead to faster installation times and a more streamlined development workflow. Overall, version 15.2.0 offers incremental improvements and dependency updates that benefit developers looking to maintain code quality through automated linting within their Git workflows by leveraging the latest tooling.
All the vulnerabilities related to the version 15.2.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
