fix: patch @eslint/plugin-kit ReDoS vulnerability (GHSA-xffm-g5w8-qvg7)

[jobenjada]

🔒 Security Fix

Resolves Dependabot alert #9: GHSA-xffm-g5w8-qvg7

📋 Summary

Fixes the Regular Expression Denial of Service (ReDoS) vulnerability in @eslint/plugin-kit by using pnpm overrides to force the patched version:

• @eslint/plugin-kit: 0.2.8 → 0.4.0 ✅

🎯 Why pnpm Overrides?

This is the best solution because:

1. Surgical Fix - Only patches @eslint/plugin-kit without updating eslint or other dependencies
2. Minimal Changes - Only 2 files changed: package.json (+10 lines) and pnpm-lock.yaml (+21/-5 lines)
3. Backward Compatible - Version 0.4.0 is fully compatible with [email protected]
4. Avoids Cascading Updates - Updating eslint itself would trigger updates of 100+ other packages
5. Documented - Includes inline comment explaining why the override is necessary

📊 Vulnerability Details

CVE: GHSA-xffm-g5w8-qvg7
Severity: LOW (CVSS 4.0: 2.3)
Type: ReDoS in ConfigCommentParser#parseJSONLikeConfig
Affected: @eslint/plugin-kit < 0.3.4
Fixed in: @eslint/[email protected]+

The vulnerable regex pattern could cause quadratic runtime attacks leading to blocking execution and high CPU usage when processing specially crafted input.

📝 What Changed

{
  "pnpm": {
    "overrides": {
      "@eslint/[email protected]": "0.4.0"
    },
    "comments": {
      "overrides": {
        "@eslint/plugin-kit": "Security fix for GHSA-xffm-g5w8-qvg7..."
      }
    }
  }
}

Lock file changes:

• Added override mapping
• Updated @eslint/plugin-kit to 0.4.0
• Updated @eslint/core dependency (used by plugin-kit)
• No other packages affected ✅

✅ Testing

• ✅ All tests passing (32/32)
• ✅ Build successful
• ✅ Only @eslint/plugin-kit and its direct dependency updated
• ✅ No breaking changes

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

Adds a pnpm configuration block to package.json. It introduces an overrides entry mapping "@eslint/[email protected]" to "0.4.0". A comments.overrides note documents the rationale, referencing GHSA-xffm-g5w8-qvg7 (ReDoS) and indicating that "@eslint/[email protected]" is backward-compatible with "[email protected]". No other files or functional logic are changed.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title clearly and concisely summarizes the primary change by describing the fix for the @eslint/plugin-kit ReDoS vulnerability and referencing the specific advisory GHSA-xffm-g5w8-qvg7, which aligns directly with the changeset. It uses a straightforward conventional commit style and avoids superfluous information, making it easy for a reviewer to understand the intent at a glance.
Description Check	✅ Passed	The description is directly related to the changeset and provides context on the security fix, the rationale for using pnpm overrides, vulnerability details, and testing outcomes, which all match the modifications made in package.json. It does not include any off-topic information and clearly supports understanding of the changeset’s purpose.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e289df7 and c45eafa.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Override pattern doesn't hit ESLint's dependency range.

[email protected] declares @eslint/plugin-kit with the range ^0.2.8, so pnpm will keep resolving 0.2.x. An override key of @eslint/[email protected] only matches requests that exactly require 0.2.8, meaning this override never fires and the vulnerable version stays in the tree. Please switch the key to cover the whole package (e.g. @eslint/plugin-kit: 0.4.0 or @eslint/plugin-kit@*: 0.4.0) so pnpm force-resolves the patched release.

Apply this diff:

-    "overrides": {
-      "@eslint/[email protected]": "0.4.0"
-    },
+    "overrides": {
+      "@eslint/plugin-kit": "0.4.0"
+    },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"@eslint/[email protected]": "0.4.0"
	},
	"overrides": {
	"@eslint/plugin-kit": "0.4.0"
	},

🤖 Prompt for AI Agents

In package.json around lines 20 to 21, the override key
"@eslint/[email protected]" only matches an exact version and therefore doesn't
override the ^0.2.8 range that eslint depends on; change the override key to
cover the package range (for example use "@eslint/plugin-kit": "0.4.0" or
"@eslint/plugin-kit@*": "0.4.0") so pnpm will force-resolve all requests for
@eslint/plugin-kit to the patched 0.4.0 release.

[jobenjada]

Closing this PR as it has been merged into #16. Both security fixes (brace-expansion and @eslint/plugin-kit) are now combined in a single PR for easier review and management.