Acorn version 5.5.0 represents an incremental update to the widely used ECMAScript parser, building upon the foundation established by version 5.4.1. Key differences highlight improvements in test suites and Unicode support. Developers leveraging Acorn should note the updated test262 dependency, pointing to a newer commit hash (18c1e799a01cc976695983b61e225ce7959bdd91) compared to the previous version's (51553973738063f457e248f7f1e643c561c8a64c). This signifies enhanced adherence to the ECMAScript specification as validated by an evolved test suite. Additionally, Unicode support advanced with the inclusion of unicode-10.0.0 (^0.7.5) in version 5.5.0, replacing unicode-9.0.0 (^0.7.0) from version 5.4.1. This upgrade enables the parser to correctly handle a broader range of Unicode characters, crucial for applications dealing with internationalized content. Furthermore, test262-parser-runner saw an update, moving from version 0.2.0 to 0.3.1, suggesting improvements in the tooling used to run tests against the parser. Although the core functionality remains consistent, these updates collectively offer developers a more robust and standards-compliant parsing experience, particularly beneficial for projects requiring accurate handling of modern JavaScript syntax and diverse character sets. The release date shift from February 2nd to February 27th indicates a roughly three-week gap between versions. The unpacked size also increased to 558636 from version 5.4.1, likely attributable to the Unicode data.
All the vulnerabilities related to the version 5.5.0 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
