[Security] Bump @eslint/plugin-kit from 0.2.0 to 0.2.3
Bumps @eslint/plugin-kit from 0.2.0 to 0.2.3. This update includes a security fix.
Vulnerabilities fixed
Regular Expression Denial of Service (ReDoS) in
@eslint/plugin-kit
Crafting a very large and well crafted string can increase the CPU usage and crash the program.POC
const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run npm i @eslint/plugin-kit and node attack.js // then the program will stuck forever with high CPU usage </tr></table>
... (truncated)
Patched versions: 0.2.3
Affected versions: < 0.2.3
Release notes
Sourced from @eslint/plugin-kit's releases.
plugin-kit: v0.2.3
0.2.3 (2024-11-14)
Dependencies
- The following workspace dependencies were updated
- devDependencies
@eslint/corebumped from ^0.8.0 to ^0.9.0plugin-kit: v0.2.2
0.2.2 (2024-10-25)
Dependencies
- The following workspace dependencies were updated
- devDependencies
@eslint/corebumped from ^0.7.0 to ^0.8.0plugin-kit: v0.2.1
0.2.1 (2024-10-18)
Dependencies
- The following workspace dependencies were updated
- devDependencies
@eslint/corebumped from ^0.6.0 to ^0.7.0
Commits
-
a957ee3chore: release main (#130) -
3591a78feat: Add Language#normalizeLanguageOptions() (#131) -
2fa68b7chore: fix formatting error (#133) -
071be84Merge commit from fork -
e73b1dcdocs: Update README sponsors -
d0b2e70fix: non-optional properties in generic interfaces (#132) -
3a87bbbfix: Support legacyschemaproperties (#128) -
c24083bdocs: Update README sponsors -
0dc78d3chore: release main (#125) -
ffa176ffeat: Add rule types (#110) - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts