Gulp 4.0.0 represents a significant evolution from the older 3.9.1, introducing architectural changes that impact how developers structure their build processes. One of the most notable shifts lies in the core task management. The underlying task orchestrator has been revamped, promising enhanced concurrency and more predictable task execution. This translates to faster build times, particularly for complex workflows. The move away from the orchestrator package (present in 3.9.1) to undertaker in 4.0.0 reflects this deeper architectural change.
Dependency management also sees a major overhaul. Gone are dependencies like gulp-util, pretty-hrtime, and liftoff, streamlining the core package and shifting responsibility for these utilities to individual plugins or user-defined functions. The upgrade to vinyl-fs from version 0.3.0 to version 3.0.0 brings modern file system operations and improved stream handling. This improved vinyl-fs reduces several potential errors and allows for more performant operations.
Furthermore, Gulp 4 introduces a command-line interface dependency, encapsulating CLI responsibilities within the gulp-cli package. This separation provides version isolation between the Gulp package and the utility's command-line execution. Developers should note the change in task definition, leveraging series() and parallel() to define task dependencies with the composition of functions/tasks becoming more prominent. The developer also can note that the new version has been released almost 2 years after the previous version.
All the vulnerabilities related to the version 4.0.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
