The color package, a versatile JavaScript library for color manipulation and conversion with CSS string support, saw a minor version update from 0.11.0 to 0.11.1 in early January 2016. Both versions share the same core functionality, enabling developers to easily convert between different color formats (like RGB, HSL, and hexadecimal) and perform operations such as darkening, lightening, and adjusting the alpha channel. They depend on the same core packages color-string and color-convert that provide essential utilities.
The key difference between versions 0.11.0 and 0.11.1 lies in the developer tooling. While both versions include mocha for testing, to which version 2.2.5 is pinned, version 0.11.1 introduces xo, a JavaScript linter and code style checker, which is pinned to version 0.12.1, as a development dependency. For developers directly contributing to the color library, this addition enforces code consistency and best practices, streamlining the development process. End-users integrating the color package into their projects will likely not notice any functional changes, as the core API and external dependencies remain consistent. The 0.11.1 release primarily represents an improvement in the internal development workflow and code quality of the package. This commitment to quality makes color a reliable choice for any JavaScript project needing robust color handling capabilities.
All the vulnerabilities related to the version 0.11.1 of the package
Regular Expression Denial of Service (ReDOS)
In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.
