Awesome Typescript Loader is a popular webpack loader that enables developers to seamlessly integrate TypeScript compilation into their webpack build process. Examining versions 4.0.0 and 4.0.1 reveals minimal changes, suggesting a bug fix or minor enhancement release. Both versions share identical dependencies and devDependencies, indicating feature parity and a consistent development environment. This includes essential packages like typescript for compilation, webpack for bundling, and testing frameworks like mocha and chai.
A marginal difference exists in the unpackedSize within the dist object; version 4.0.1 has an unpacked size of 419928 bytes compared to 419756 bytes in version 4.0.0. This very slight repackaging suggests that the changes from version 4.0.0 to 4.0.1 are likely minimal code modifications or packaging adjustments, not a larger feature release. The releaseDate also highlights this, where version 4.0.1 was released shortly after version 4.0.0.
For developers, both versions of awesome-typescript-loader provide a robust and efficient solution for incorporating TypeScript into webpack workflows. The peer dependency on typescript: ^2 emphasizes compatibility with TypeScript 2.x versions. The loader leverages popular utilities such as loader-utils, lodash, and micromatch. While version 4.0.1 may contain bug fixes or very minor tweaks, users already on 4.0.0 might consider upgrading, but the impact would likely be minimal. New users can confidently utilize either version, and upgrade to the most modern versions published.
All the vulnerabilities related to the version 4.0.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
