Acorn version 6.1.0, released on February 8, 2019, introduces subtle improvements and adjustments compared to its predecessor, version 6.0.7, released just days earlier on February 4, 2019. Both versions maintain the core functionality of Acorn as a lightweight and highly performant ECMAScript parser. Under the MIT license, Acorn offers developers a flexible and unrestrictive option for integrating a robust JavaScript parsing engine into their projects. The GitHub repository remains consistent across both versions, ensuring a stable source for code and issue tracking.
While both packages contain the same number of files (11) when packaged, there is a slight increase in unpacked size from 1,092,078 bytes in version 6.0.7 to 1,093,255 bytes in version 6.1.0. This small size difference suggests minor code changes, bug fixes, or performance enhancements within the parsing logic. Developers may find that upgrading to version 6.1.0 delivers improved efficiency or resolution of edge-case parsing scenarios encountered in complex JavaScript codebases. Ultimately, the decision on whether to upgrade depends on the specific needs of the project and whether any known issues in version 6.0.7 are addressed in the newer release. Acorn remains a valuable tool for any developer or project that requires analyzing or manipulating JavaScript code.
All the vulnerabilities related to the version 6.1.0 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
