Skip to content

[Security] Bump @eslint/plugin-kit from 0.2.0 to 0.2.4

Dependabot requested to merge dependabot-npm_and_yarn-eslint-plugin-kit-0.2.4 into master

Bumps @eslint/plugin-kit from 0.2.0 to 0.2.4. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in @​eslint/plugin-kit
Crafting a very large and well crafted string can increase the CPU usage and crash the program.

POC

const { ConfigCommentParser } = require("@eslint/plugin-kit");
var str = "";
for (var i = 0; i < 1000000; i++) {
str += " ";
}
str += "A";
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")
// run npm i @eslint/plugin-kit and node attack.js
// then the program will stuck forever with high CPU usage
</tr></table>

... (truncated)

Patched versions: 0.2.3
Affected versions: < 0.2.3

Release notes

Sourced from @​eslint/plugin-kit's releases.

plugin-kit: v0.2.4

0.2.4 (2024-12-04)

Bug Fixes

Dependencies

  • The following workspace dependencies were updated
    • devDependencies
      • @​eslint/core bumped from ^0.9.0 to ^0.9.1

plugin-kit: v0.2.3

0.2.3 (2024-11-14)

Dependencies

  • The following workspace dependencies were updated
    • devDependencies
      • @​eslint/core bumped from ^0.8.0 to ^0.9.0

plugin-kit: v0.2.2

0.2.2 (2024-10-25)

Dependencies

  • The following workspace dependencies were updated
    • devDependencies
      • @​eslint/core bumped from ^0.7.0 to ^0.8.0

plugin-kit: v0.2.1

0.2.1 (2024-10-18)

Dependencies

  • The following workspace dependencies were updated
    • devDependencies
      • @​eslint/core bumped from ^0.6.0 to ^0.7.0
Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports