NPM Package JSON Lint offers configurable linting for your package.json files, ensuring consistency and adherence to best practices within your JavaScript projects. Comparing version 4.4.0 with the previous stable release, 4.3.0, reveals subtle yet potentially impactful changes for developers. Both versions maintain identical dependencies and devDependencies lists, providing a stable base concerning underlying tooling. This means developers can expect familiar compatibility with tools like ESLint, Prettier, Jest, and various configuration packages. The core linting capabilities, powered by ajv and other utilities for JSON validation and configuration handling, remain consistent, ensuring smooth upgrades without requiring significant code modifications.
The primary difference lies in the dist object, specifically the unpackedSize. Version 4.4.0 has an unpacked size of 137471 bytes, a slight increase from version 4.3.0's 137221 bytes. While seemingly minor, this increase may indicate subtle enhancements, bug fixes, or documentation updates bundled within the newer version. This small change could reflect improved rule definitions, refined error messages, or adjustments to internal processing, ultimately contributing to a better developer experience during package.json linting. Developers should consider upgrading to version 4.4.0 to benefit from these potential improvements, optimizing their workflow and ensuring the highest quality package.json configurations. Both versions were released in close proximity on December 5th, 2019, suggesting a quick follow-up release addressing potentially minor fixes or improvements.
All the vulnerabilities related to the version 4.4.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
