Acorn is a small, fast, and simple ECMAScript parser written in JavaScript. Examining versions 6.0.0 and 5.7.4 reveals interesting changes for developers. Version 5.7.4, though an older stable release, showcases a heavier development ecosystem, indicated by its devDependencies. These include tools like ESLint (for code linting), Rollup (for bundling), and test262 (for compliance testing), alongside plugins for further code quality and standardization. This suggests a focus on rigorous testing and adherence to coding standards within the development process of the 5.x series. Its unpacked size reflects the inclusion of these development-related dependencies. The later 6.0.0 version presents a significant reduction in unpacked size which means a sleeker, more focused core parser package intended for direct usage.
The key difference apparent is the shift away from embedding the entire development workflow within the package. This implies that developers integrating Acorn 6.0.0 are expected to manage their own testing, linting, and bundling processes separately, allowing greater flexibility in choosing tools that best suit their projects. The lighter footprint of 6.0.0 makes it a better choice for scenarios prioritizing minimal dependencies. It is interesting to note that the release date of version 5.7.4 is later than version 6.0.0, suggesting that v5 was kept up to date with dependency updates much later than v6.
All the vulnerabilities related to the version 6.0.0 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
