Acorn version 6.3.0 represents a subtle but potentially important update over version 6.2.1 for developers relying on this popular ECMAScript parser. While both versions share the same core functionality—parsing JavaScript code according to the ECMAScript standard—and the same MIT license, a closer examination reveals key differences.
The most obvious change is the version number itself, incrementing from 6.2.1 to 6.3.0. This suggests a minor release including bug fixes, performance improvements, or small feature enhancements rather than a complete overhaul. Developers should look for any specific bug fixes addressing issues they might have encountered in 6.2.1. The slight increase in unpacked size, from 1101957 bytes to 1102462 bytes, hints at code additions or modifications, although the file count remains constant at 11.
Furthermore, the release dates indicate that version 6.3.0 was published on August 12, 2019,significantly later than version 6.2.1 on July 20, 2019. This temporal difference suggests that 6.3.0 incorporates more recent bug fixes and improvements. Upgrading to the newer version is generally recommended to benefit from these enhancements and ensure compatibility with evolving ECMAScript standards to avoid any type of vulnerability. Developers are advised to consult the Acorn changelog or release notes for a comprehensive list of changes and to verify compatibility with their existing code.
All the vulnerabilities related to the version 6.3.0 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
