[ESLint plugin] Use caret (^) for dependencies versions instead of exact version

Rules and Languages
1

Please use caret (^) for dependencies versions in your eslint-plugin-sonarjs npm package instead of exact version.

Otherwise your plugin makes almost impossible to maintain security vulnerabilities for transitive dependencies (i.e. for minimatch: minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments · CVE-2026-27903 · GitHub Advisory Database · GitHub) and becomes kind of useless.

2 Likes
Sonar Community Roundup; March 7 - 13
4

Hi @jakub-jemieljanczuk,

just released v4.0.2 using carets as requested. Thanks for raising this!

Victor

1 Like
7

Hi Victor ,

Thank you so much. It will really help with transitive dependencies updates if they are not locked to specific version.

1 Like