Lint-staged is a popular npm package designed to streamline the development workflow by running linters only on files staged for commit in Git. Comparing versions 3.2.5 and 3.2.4 reveals subtle yet potentially impactful changes for developers. Both versions share core dependencies like execa, listr, which, minimatch, npm-which, cosmiconfig, app-root-path and staged-git-files, ensuring continued compatibility with existing setups and features that include executing commands, creating task lists. Furthermore, both provide the same devDependencies that are relevant for the development and test of the library itself. This means that both versions bundle the same tooling for testing, linting and continuous integration.
The key difference lies in the removal of the tmp package from the devDependencies in version 3.2.5. While not a direct dependency affecting runtime behavior, this suggests alterations in the internal testing or build processes. Developers upgrading should be aware of this change if they relied on tmp indirectly through lint-staged's tooling or tests, as that is not a guarantee. This is unlikely for most users but has value for those that have direct connection to the library. The release happened in December 2016 and provides an automation utility for developers.
All the vulnerabilities related to the version 3.2.5 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
