chore: [security] bump @eslint/plugin-kit from 0.3.2 to 0.3.3 #511

Closed

martinr92 wants to merge 1 commit from dependabot-npm_and_yarn-develop-eslint-plugin-kit-0.3.3 into develop

pull from: dependabot-npm_and_yarn-develop-eslint-plugin-kit-0.3.3

merge into: marty-media:develop

marty-media:main

marty-media:renovate/vue-3.x-lockfile

marty-media:renovate/https-github.com-sonarsource-sonarqube-scan-action-8.x

marty-media:renovate/vue-tsc-3.x-lockfile

marty-media:renovate/eslint-plugin-vue-10.x-lockfile

marty-media:renovate/github.com-jackc-pgx-v5-5.x

marty-media:renovate/vue-router-5.x-lockfile

marty-media:renovate/lucide-vue-1.x-lockfile

marty-media:renovate/vite-8.x-lockfile

marty-media:renovate/eslint-10.x-lockfile

marty-media:develop

marty-media:feature/plugins

marty-media:beta

marty-media:dependabot-npm_and_yarn-develop-eslint-9.33.0

Conversation 2 Commits 1 Files changed 1 +8 -8

martinr92 commented 2025-07-19 02:59:36 +00:00 (Migrated from gitlab.com)

Copy link

Bumps @eslint/plugin-kit from 0.3.2 to 0.3.3. This update includes a security fix.

Vulnerabilities fixed

@​eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = ${"A".repeat(1000000)}?: 1 B: 2;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
</tr></table>

... (truncated)

Patched versions: 0.3.3 Affected versions: < 0.3.3

Release notes

Sourced from @​eslint/plugin-kit's releases.

plugin-kit: v0.3.3

0.3.3 (2025-06-25)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.0 to ^0.15.1

Changelog

Sourced from @​eslint/plugin-kit's changelog.

0.3.3 (2025-06-25)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.0 to ^0.15.1

Commits

• 0496201 chore: release main (#229)
• f5e6d68 chore: hoist cli tools to root level (#224)
• See full diff in compare view

Bumps [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) from 0.3.2 to 0.3.3. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong><code>@​eslint/plugin-kit</code> is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser</strong></p> <h3>Summary</h3> <p>The <code>ConfigCommentParser#parseJSONLikeConfig</code> API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.</p> <h3>Details</h3> <p>The regular expression at <a href="https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158">packages/plugin-kit/src/config-comment-parser.js:158</a> is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with <code>[^-a-zA-Z0-9/]</code>.</p> <h3>PoC</h3> <pre lang="javascript"><code>const { ConfigCommentParser } = require(&quot;@eslint/plugin-kit&quot;); <p>const str = <code>${&amp;quot;A&amp;quot;.repeat(1000000)}?: 1 B: 2</code>;</p> <p>console.log(&quot;start&quot;) var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log(&quot;end&quot;)</p> <p>&lt;/tr&gt;&lt;/table&gt; </code></pre></p> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 0.3.3 Affected versions: &lt; 0.3.3</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/releases"><code>@​eslint/plugin-kit</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-kit: v0.3.3</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@​eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md"><code>@​eslint/plugin-kit</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@​eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eslint/rewrite/commit/0496201974aad87fdcf3aa2a63ec74e91b54825e"><code>0496201</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/229">#229</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/f5e6d683ee00b24b98777291c0a9a83719fe3402"><code>f5e6d68</code></a> chore: hoist cli tools to root level (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/224">#224</a>)</li> <li>See full diff in <a href="https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.3/packages/plugin-kit">compare view</a></li> </ul> </details> <br />

martinr92 commented 2025-07-19 02:59:36 +00:00 (Migrated from gitlab.com)

Copy link

assigned to @martinr92

assigned to @martinr92

martinr92 commented 2025-07-22 03:00:28 +00:00 (Migrated from gitlab.com)

Copy link

This merge request has been superseded by !488+

This merge request has been superseded by !488+

martinr92 (Migrated from gitlab.com) closed this pull request 2025-07-22 03:00:28 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

confirmed

  

critical

  

dependencies

Pull requests that update a dependency file

  

discussion

  

docker

  

documentation

  

enhancement

  

go

  

javascript

  

security

Pull requests that address a security vulnerability

  

severity:high

  

severity:low

  

severity:moderate

  

suggestion

  

support

No labels

bug

confirmed

critical

dependencies

discussion

docker

documentation

enhancement

go

javascript

security

severity:high

severity:low

severity:moderate

suggestion

support

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

marty-media/server!511

No description provided.