Standard version 10.0.2 is a minor patch release following 10.0.1 in the popular JavaScript Standard Style package. Both versions provide a consistent and opinionated code style, automatically formatting code and catching style issues, saving developers valuable time in code reviews and ensuring code quality. Key dependencies for both versions are eslint, standard-engine, and various eslint-plugin-* packages for handling Node.js, React, import statements, and promises, ensuring compatibility with modern JavaScript development. The core difference between version 10.0.2 and 10.0.1 lies in the dependency eslint-config-standard. Version 10.0.2 updates this dependency to version 10.2.1, while 10.0.1 uses 10.2.0. This likely includes minor bug fixes or rule updates within the standard ESLint configuration impacting the specific linting rules applied to your code. Developers upgrading should review the changes in eslint-config-standard from 10.2.0 to 10.2.1 to understand any potential impact on their code style. Both versions utilize an array of devDependencies like tape for testing, mkdirp for directory creation, and cross-spawn for cross-platform process spawning which streamline the developement. Considering the minor version bump focus will be on updating the packages and underlying eslint rules.
All the vulnerabilities related to the version 10.0.2 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
