Expect, a core component of the Jest testing framework, provides the expect function that is central to writing assertions in your tests. The jump from version 24.7.0 to 24.7.1, while seemingly minor, includes key updates that Jest users should be aware of. Both versions maintain the same fundamental purpose: offering a comprehensive assertion library documented on the Jest website. They also share common dependencies like @jest/types, ansi-styles, jest-get-type, jest-regex-util and the same dev dependencies like @types/ansi-styles, ensuring consistent functionality for type handling and terminal styling. Both versions also share the number of files count and unpacked size.
The critical difference lies in the specific versions of jest-message-util and jest-matcher-utils. Version 24.7.1 updates jest-message-util to 24.7.1, while the previous version uses 24.7.0. While seemingly small, this patch update likely contains bug fixes or minor enhancements related to how Jest formats and presents error messages during test failures, impacting the clarity and ease of debugging. The jest-matcher-utils packages remains on version 24.7.0 for both versions. Developers should upgrade to 24.7.1 primarily to benefit from these fixes in message formatting and improve their debugging workflow, although both versions have shown to be stable with the same fileCount of 43 and unpackedSize of 2961825, offering MIT license and being hosted on the same repository. The release date may also be important for the developer to choose, as 24.7.1 was released on 2019-04-04 and 24.7.0 was released on 2019-04-03.
All the vulnerabilities related to the version 24.7.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
