NPM Package JSON Lint version 3.0.0 represents a significant upgrade over version 2.11.2, transitioning from a simple CLI app to a configurable linter for package.json files. This enhancement allows developers greater control over the linting process, tailoring it to their specific project requirements. A key difference is the introduction of ajv and glob, enabling schema validation and flexible file matching, respectively. The meow package adds structure to the command-line interface. Other important upgrades and new dependencies include is-resolvable and is-path-inside, and strip-json-comments.
Several dependency versions have been updated. For instance, chalk and semver have been bumped to versions 2.4.1 and 5.5.0 respectively. Major differences include the removal of commander and user-home.
From a development perspective, version 3.0.0 is much more powerful thanks to configurability and schema validation. However, developers should note that the change in dependencies may necessitate adjustments to existing workflows and configurations. The updated version offers more granular control and better integration into modern development pipelines. The move to a more configurable linter allows for a more refined and effective approach to maintaining the integrity of package.json files. The newer release also brings a larger unpacked size, growing to 126313 from 96498, thanks to new dependencies for a more complete and streamlined experience.
All the vulnerabilities related to the version 3.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Inefficient Regular Expression Complexity in validator.js
validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity
