Color-string is a valuable npm package for developers needing to parse and generate CSS color strings. Version 0.3.0, released in February 2015, offers some key differences from the previous stable version, 0.2.4, released in December 2014. Both versions share the core functionality of parsing and generating CSS color strings, making it easy to work with colors in web development projects.
The primary difference lies in the dependencies. Version 0.3.0 specifies a tighter dependency on color-name, using ^1.0.0, which means it's compatible with color-name version 1.0.0 and any minor or patch updates. The older version 0.2.4 uses color-name":"1.0.x", which potentially allows for a broader range of 1.0.x versions. This subtle change in versioning could impact compatibility depending on the evolution of the color-name package.
Another interesting aspect is the development environment. Version 0.2.4 includes grunt, uglify-js, and browserify as devDependencies, suggesting the project used Grunt for task automation and Browserify for bundling code for the browser. These dependencies are absent in version 0.3.0, potentially indicating a shift in the development workflow or build process. Developers migrating from 0.2.4 to 0.3.0 should be aware of this change and adjust their build processes accordingly. The core functionality remains consistent, providing a reliable tool for manipulating color strings in JavaScript applications.
All the vulnerabilities related to the version 0.3.0 of the package
Regular Expression Denial of Service (ReDOS)
In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.
