Lint-staged is a popular npm package that helps developers automatically lint files that are staged in Git, ensuring code quality and consistency before commits. Comparing versions 3.4.0 and 3.3.2, the core functionality remains the same, focusing on running linters against staged files. Both versions share identical dependencies, including execa for executing commands, listr for creating elegant task lists, minimatch for file matching, npm-which for locating npm binaries, cosmiconfig for configuration, app-root-path for resolving the project root, and staged-git-files for retrieving staged files. Their development dependencies are also completely identical, meaning all the same tools are used for testing, linting, and package building. Both rely on tools like jest, eslint, babel, and semantic-release for these tasks.
Essentially, the difference lies solely in the timing of their release. Version 3.4.0 merely represents a more recent publication, as indicated by its releaseDate of March 13, 2017, at 19:07:05 UTC, while version 3.3.2 was released earlier on the same day, at 09:15:25 UTC. Developers choosing between these specific versions can effectively consider them equivalent in terms of features and core functionality. Opting for the newer 3.4.0 might be preferred for the latest potential bug fixes, although no specific changes are documented that motivate the release. Developers should always refer to the package's changelog for a more detailed overview of changes.
All the vulnerabilities related to the version 3.4.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
