chore: [security] bump @eslint/plugin-kit from 0.3.2 to 0.3.4 #512

Closed

martinr92 wants to merge 1 commit from dependabot-npm_and_yarn-develop-eslint-plugin-kit-0.3.4 into develop

martinr92 commented

2025-07-22 03:00:23 +00:00

(Migrated from gitlab.com)

Bumps @eslint/plugin-kit from 0.3.2 to 0.3.4. This update includes a security fix.

Vulnerabilities fixed

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = ${&quot;A&quot;.repeat(1000000)}?: 1 B: 2;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
</tr></table>

... (truncated)

Patched versions: 0.3.3 Affected versions: < 0.3.3

Release notes

Sourced from @eslint/plugin-kit's releases.

plugin-kit: v0.3.4

0.3.4 (2025-07-21)

Bug Fixes

potential quadratic runtime in regular expression (#240) (b283f64)

plugin-kit: v0.3.3

0.3.3 (2025-06-25)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.0 to ^0.15.1

Changelog

Sourced from @eslint/plugin-kit's changelog.

0.3.4 (2025-07-21)

Bug Fixes

potential quadratic runtime in regular expression (#240) (b283f64)

0.3.3 (2025-06-25)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.0 to ^0.15.1

Commits

380c224 chore: release main (#242)
17276ff docs: Update README sponsors
b283f64 fix: potential quadratic runtime in regular expression (#240)
46cd5da docs: Update README sponsors
9677965 docs: Update README sponsors
20799b5 docs: Update README sponsors
0496201 chore: release main (#229)
f5e6d68 chore: hoist cli tools to root level (#224)
See full diff in compare view

Bumps [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) from 0.3.2 to 0.3.4. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong><code>@eslint/plugin-kit</code> is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser</strong></p> <h3>Summary</h3> <p>The <code>ConfigCommentParser#parseJSONLikeConfig</code> API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.</p> <h3>Details</h3> <p>The regular expression at <a href="https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158">packages/plugin-kit/src/config-comment-parser.js:158</a> is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with <code>[^-a-zA-Z0-9/]</code>.</p> <h3>PoC</h3> <pre lang="javascript"><code>const { ConfigCommentParser } = require("@eslint/plugin-kit"); <p>const str = <code>${&quot;A&quot;.repeat(1000000)}?: 1 B: 2</code>;</p> <p>console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end")</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 0.3.3 Affected versions: < 0.3.3</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/releases"><code>@eslint/plugin-kit</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-kit: v0.3.4</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.3...plugin-kit-v0.3.4">0.3.4</a> (2025-07-21)</h2> <h3>Bug Fixes</h3> <ul> <li>potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/issues/240">#240</a>) (<a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805">b283f64</a>)</li> </ul> <h2>plugin-kit: v0.3.3</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md"><code>@eslint/plugin-kit</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.3...plugin-kit-v0.3.4">0.3.4</a> (2025-07-21)</h2> <h3>Bug Fixes</h3> <ul> <li>potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/issues/240">#240</a>) (<a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805">b283f64</a>)</li> </ul> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eslint/rewrite/commit/380c2248711f5277e56c2977b6b440577b210023"><code>380c224</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/242">#242</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/17276ff19cec952ecbe7a1bacfaed67bc134b20c"><code>17276ff</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805"><code>b283f64</code></a> fix: potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/240">#240</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/46cd5dab8f47b4be65a9aa9202a38603da85f186"><code>46cd5da</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/9677965292cd5b670ef0e4aa7b9b57028a26a0ee"><code>9677965</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/20799b5802db906bc43308108986e0508febe58f"><code>20799b5</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/0496201974aad87fdcf3aa2a63ec74e91b54825e"><code>0496201</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/229">#229</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/f5e6d683ee00b24b98777291c0a9a83719fe3402"><code>f5e6d68</code></a> chore: hoist cli tools to root level (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/224">#224</a>)</li> <li>See full diff in <a href="https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.4/packages/plugin-kit">compare view</a></li> </ul> </details> <br />

martinr92 commented

2025-07-22 03:00:23 +00:00

(Migrated from gitlab.com)

assigned to @martinr92

martinr92 commented

2025-07-22 03:00:24 +00:00

(Migrated from gitlab.com)

added 1 commit

314bf94b - chore: [security] bump @eslint/plugin-kit from 0.3.2 to 0.3.4

Compare with previous version

added 1 commit <ul><li>314bf94b - chore: [security] bump @eslint/plugin-kit from 0.3.2 to 0.3.4</li></ul> [Compare with previous version](/marty-media/server/-/merge_requests/488/diffs?diff_id=1431476968&start_sha=14cbbd4a5109be6f1ba6a97d704011204457648e)

martinr92 commented

2025-07-22 03:00:28 +00:00

(Migrated from gitlab.com)

mentioned in merge request !487