Acorn version 6.4.0 represents a minor update to the popular JavaScript parser library, building upon the foundation laid by version 6.3.0. Both versions maintain the core functionality of parsing ECMAScript, offering developers a reliable tool for analyzing and manipulating JavaScript code. The license remains MIT, ensuring broad usability across various projects, and the repository continues to be hosted on GitHub under the acornjs organization.
A notable difference is the increased unpacked size of version 6.4.0 (1103763 bytes) compared to version 6.3.0 (1102462 bytes). While the file count remains consistent at 11, this size difference suggests internal code modifications, potentially including bug fixes, performance enhancements, or the addition of new language feature support. Developers should consider this change when evaluating the library's footprint within their applications.
The release date also highlights the recency of version 6.4.0, indicating access to the latest improvements and potentially better compatibility with newer ECMAScript standards. If you're working with contemporary JavaScript syntax or require the most up-to-date parsing capabilities, upgrading to version 6.4.0 is recommended. Otherwise, both versions offer robust ECMAScript parsing within a MIT licensed package. Developers integrating Acorn into build tools, code analysis software, or similar applications will find either version highly valuable.
All the vulnerabilities related to the version 6.4.0 of the package
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
