Hosted Git Info is a valuable npm package designed to simplify the process of extracting metadata and converting repository URLs from popular platforms like GitHub, Bitbucket, and GitLab. Versions 2.1.5 and 2.2.0 share the same core functionality but present notable differences, mainly in their development dependencies.
The primary upgrade lies in the testing framework. Version 2.2.0 updates the tap dependency from ^0.4.13 to ^10.0.2. This is a significant shift, indicating a move to a more modern and feature-rich testing environment. Developers contributing to or maintaining projects that depend on hosted-git-info should note this upgrade, as testing strategies and potential compatibility issues might arise.
Both versions maintain the same standard code style dependency. They are both licensed under the ISC license and maintain the same author and repository information, ensuring continuity in ownership and contribution guidelines. Published months apart, version 2.2.0 (released in February 2017) incorporates newer testing tools and potentially minor internal improvements compared to version 2.1.5 (released in May 2016).
For developers utilizing hosted-git-info, this implies that version 2.2.0 offers a potentially more stable and well-tested library, though the core API remains consistent. Users should assess if the updated tap version introduces any conflicts within their existing development pipelines before upgrading. If your project benefits from more modern testing practices, moving to version 2.2.0 is recommended.
All the vulnerabilities related to the version 2.2.0 of the package
Regular Expression Denial of Service in hosted-git-info
The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity
