Version 3.2.0 of npm-package-json-lint introduces subtle yet impactful enhancements compared to its predecessor, version 3.1.0. Both versions serve as configurable linters for package.json files, aiding developers in maintaining consistent and error-free project configurations. A key difference lies in the updated dependencies. Specifically, ajv, a JSON schema validator, is bumped from version 6.5.0 to 6.5.2. The validator package sees an upgrade from version 10.2.0 to 10.4.0. Furthermore, the development dependencies received updates, with eslint moving from version 4.19.1 to 5.1.0 and eslint-config-tc jumping from version 3.0.0 to 4.0.0. These updates likely incorporate bug fixes, performance improvements, and potentially new linting rules within the development environment. The unpacked size of the package also increased slightly, suggesting some internal changes or additions to the codebase. Developers leveraging npm-package-json-lint will benefit by adhering to best practices and enforcing uniformity across various projects. The library helps to avoid common errors regarding package.json syntax and structure, leading to better maintainability and collaboration. Upgrading to version 3.2.0 is recommended to receive the latest bug fixes and improvements related to validation and linting rules.
All the vulnerabilities related to the version 3.2.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Inefficient Regular Expression Complexity in validator.js
validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity
