Acorn version 6.0.6 represents a subtle yet noteworthy update to the popular ECMAScript parser, following closely on the heels of version 6.0.5. Both versions maintain the MIT license, ensuring broad usability and integration across diverse projects. Developers familiar with Acorn will find the core functionality consistent between the two.
The key difference lies in the increased unpacked size of version 6.0.6, which grew to 1097912 bytes from 1084980 bytes in version 6.0.5. This suggests potential internal improvements or additions, such as refined parsing rules, bug fixes that add code or enhanced performance optimizations. While the file count remains unchanged at 11, the larger unpacked size indicates modifications within those files.
For developers, this upgrade might be relevant if they encountered specific parsing edge cases in version 6.0.5 or are looking for subtle performance gains. The relatively short time span between releases—less than a month—further suggests the 6.0.6 addressed some important issue. Considering the library's small size, it's wise to upgrade to version 6.0.6 to benefit from these potential enhancements and bug fixes, ensuring code compatibility and leveraging the latest improvements in ECMAScript parsing. Because of the small changes, the update should not present any breaking changes.
All the vulnerabilities related to the version 6.0.6 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
