chore: [security] bump @eslint/plugin-kit from 0.3.2 to 0.3.5 #531

Closed

martinr92 wants to merge 1 commit from dependabot-npm_and_yarn-develop-eslint-plugin-kit-0.3.5 into develop

martinr92 commented

2025-08-09 03:01:59 +00:00

(Migrated from gitlab.com)

Bumps @eslint/plugin-kit from 0.3.2 to 0.3.5. This update includes a security fix.

Vulnerabilities fixed

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = ${&quot;A&quot;.repeat(1000000)}?: 1 B: 2;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
</tr></table>

... (truncated)

Patched versions: 0.3.4 Affected versions: < 0.3.4

Release notes

Sourced from @eslint/plugin-kit's releases.

plugin-kit: v0.3.5

0.3.5 (2025-08-05)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.1 to ^0.15.2

plugin-kit: v0.3.4

0.3.4 (2025-07-21)

Bug Fixes

potential quadratic runtime in regular expression (#240) (b283f64)

plugin-kit: v0.3.3

0.3.3 (2025-06-25)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.0 to ^0.15.1

Changelog

Sourced from @eslint/plugin-kit's changelog.

0.3.5 (2025-08-05)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.1 to ^0.15.2

0.3.4 (2025-07-21)

Bug Fixes

potential quadratic runtime in regular expression (#240) (b283f64)

0.3.3 (2025-06-25)

Dependencies

The following workspace dependencies were updated

dependencies

@eslint/core bumped from ^0.15.0 to ^0.15.1

Commits

9e68ab6 chore: release main (#252)
e39a386 docs: Update README sponsors
57734b4 docs: Update README sponsors
380c224 chore: release main (#242)
17276ff docs: Update README sponsors
b283f64 fix: potential quadratic runtime in regular expression (#240)
46cd5da docs: Update README sponsors
9677965 docs: Update README sponsors
20799b5 docs: Update README sponsors
0496201 chore: release main (#229)
Additional commits viewable in compare view

Bumps [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) from 0.3.2 to 0.3.5. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong><code>@eslint/plugin-kit</code> is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser</strong></p> <h3>Summary</h3> <p>The <code>ConfigCommentParser#parseJSONLikeConfig</code> API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.</p> <h3>Details</h3> <p>The regular expression at <a href="https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158">packages/plugin-kit/src/config-comment-parser.js:158</a> is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with <code>[^-a-zA-Z0-9/]</code>.</p> <h3>PoC</h3> <pre lang="javascript"><code>const { ConfigCommentParser } = require("@eslint/plugin-kit"); <p>const str = <code>${&quot;A&quot;.repeat(1000000)}?: 1 B: 2</code>;</p> <p>console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end")</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 0.3.4 Affected versions: < 0.3.4</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/releases"><code>@eslint/plugin-kit</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-kit: v0.3.5</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.4...plugin-kit-v0.3.5">0.3.5</a> (2025-08-05)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.1 to ^0.15.2</li> </ul> </li> </ul> </li> </ul> <h2>plugin-kit: v0.3.4</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.3...plugin-kit-v0.3.4">0.3.4</a> (2025-07-21)</h2> <h3>Bug Fixes</h3> <ul> <li>potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/issues/240">#240</a>) (<a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805">b283f64</a>)</li> </ul> <h2>plugin-kit: v0.3.3</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md"><code>@eslint/plugin-kit</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.4...plugin-kit-v0.3.5">0.3.5</a> (2025-08-05)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.1 to ^0.15.2</li> </ul> </li> </ul> </li> </ul> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.3...plugin-kit-v0.3.4">0.3.4</a> (2025-07-21)</h2> <h3>Bug Fixes</h3> <ul> <li>potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/issues/240">#240</a>) (<a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805">b283f64</a>)</li> </ul> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.2...plugin-kit-v0.3.3">0.3.3</a> (2025-06-25)</h2> <h3>Dependencies</h3> <ul> <li>The following workspace dependencies were updated <ul> <li>dependencies <ul> <li><code>@eslint/core</code> bumped from ^0.15.0 to ^0.15.1</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eslint/rewrite/commit/9e68ab61df9c4ebc082b603fb5e3dfe2dcf98666"><code>9e68ab6</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/252">#252</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/e39a3862178376c1d85d16db73bb7a11ed8430cd"><code>e39a386</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/57734b40f08335c1b1311573d922404f29ba5ecf"><code>57734b4</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/380c2248711f5277e56c2977b6b440577b210023"><code>380c224</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/242">#242</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/17276ff19cec952ecbe7a1bacfaed67bc134b20c"><code>17276ff</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805"><code>b283f64</code></a> fix: potential quadratic runtime in regular expression (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/240">#240</a>)</li> <li><a href="https://github.com/eslint/rewrite/commit/46cd5dab8f47b4be65a9aa9202a38603da85f186"><code>46cd5da</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/9677965292cd5b670ef0e4aa7b9b57028a26a0ee"><code>9677965</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/20799b5802db906bc43308108986e0508febe58f"><code>20799b5</code></a> docs: Update README sponsors</li> <li><a href="https://github.com/eslint/rewrite/commit/0496201974aad87fdcf3aa2a63ec74e91b54825e"><code>0496201</code></a> chore: release main (<a href="https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit/issues/229">#229</a>)</li> <li>Additional commits viewable in <a href="https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.5/packages/plugin-kit">compare view</a></li> </ul> </details> <br />

martinr92 commented

2025-08-09 03:02:00 +00:00

(Migrated from gitlab.com)

assigned to @martinr92