Lint-staged version 15.2.4 brings several updates compared to the previous stable version 15.2.2, offering developers enhanced functionality and improved tooling. One notable change is the update to the yaml dependency, moving from version 2.3.4 to 2.4.2 which likely includes bug fixes, performance improvements, and potentially new features for YAML parsing. Similarly, listr2 has been updated from version 8.0.1 to 8.2.1, offering developers better control and feedback during task execution within lint-staged. The commander dependency sees a significant bump from 11.1.0 to 12.1.0, potentially adding new command-line argument parsing features. lilconfig is upgraded from version 3.0.0 to 3.1.1 related to configuration management. Furthermore, micromatch moves from 4.0.5 to 4.0.6 maybe adding bug fixes to filename matching.
These dependency upgrades translate to a more robust and feature-rich lint-staged experience. In terms of tooling, version 15.2.4 utilizes newer versions of popular packages. In the devDependencies section, eslint moved from 8.56.0 to 8.57.0 , @changesets/cli was updated from 2.27.1 to 2.27.3, @commitlint/cli sees the change from 18.4.4 to 19.3.0 and finally @commitlint/config-conventional changes from 18.4.4 to 19.2.2. These updates ensure better compatibility with the latest linting and code formatting standards, contributing to cleaner and more consistent codebases. Developers upgrading to 15.2.4 can expect to benefit from these enhancements, including improved configuration handling, more accurate file matching, and a more streamlined linting process within their Git workflows. The increased unpackedSize from 120058 to 120598 may reflect some of these dependency updates.
All the vulnerabilities related to the version 15.2.4 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
