Babel-jest version 24.9.0 is a Jest plugin designed to seamlessly integrate Babel for code transformations during testing. Comparing it to the previous stable version, 24.8.0, reveals a few key updates relevant for developers. Firstly, both versions maintain core dependencies like chalk for terminal styling and slash for cross-platform path handling. However, version 24.9.0 sees updates to its @jest dependencies, specifically @jest/types and @jest/transform, bumping them to version 24.9.0, indicating improvements or bug fixes within Jest's typing and transformation processes. Crucially, babel-preset-jest is updated to version 24.9.0 from 24.6.0 suggesting changes in how Babel presets are handled during Jest transformations, potentially affecting the compatibility or behavior of your tests. Both versions share development dependencies like @babel/core and @types/slash, along with consistent peer dependencies on @babel/core, ensuring compatibility with Babel 7. While both leverage babel-plugin-istanbul for code coverage reporting, the unpacked size of version 24.8.0 is significantly larger and had more files which hints at potential refactoring or optimization in the newer 24.9.0 release, resulting in a leaner package. The repository location also has a minor change, updating the URL from git+https to https, but it's functionally equivalent. In essence, developers upgrading to 24.9.0 can expect refined Jest integration, potential improvements in babel preset handling, and a smaller package size, while maintaining core compatibility with existing Babel configurations.
All the vulnerabilities related to the version 24.9.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
