Lint-staged, a popular tool for running linters on Git staged files, recently released version 15.2.1, a minor update following version 15.2.0. While both versions share core functionalities like linting staged files using tools configured via lilconfig, developers should note the dependency updates. The key difference lies in the updated dependency versions for both dependencies (packages required for lint-staged to operate at its core) and devDependencies (packages required for project development, not runtime) that signal improvements or bug fixes in the underlying packages.
Specifically, listr2 was updated from version 8.0.0 to 8.0.1 in dependencies. When we look at devDependencies, significant bumps occurred for eslint (from 8.55.0 to 8.56.0), prettier (from 3.1.0 to 3.2.4), @commitlint/cli (from 18.4.3 to 18.4.4), eslint-plugin-import (from 2.29.0 to 2.29.1), eslint-config-prettier (from 9.0.0 to 9.1.0), and eslint-plugin-prettier (from 5.0.1 to 5.1.3). @commitlint/config-conventional also saw a bump from 18.4.3 to 18.4.4. These updates likely include enhanced linting rules, improved code formatting, and better commit message validation. Developers using lint-staged should consider upgrading to 15.2.1 to leverage these improvements, potentially leading to cleaner code, more consistent formatting, and better adherence to project coding standards.
The update also delivers a small size reduction, with an unpacked size decreasing from 119669 to 119713, indicating possible optimizations.
All the vulnerabilities related to the version 15.2.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
