Husky is a popular npm package that simplifies the process of using Git hooks in your projects, enabling you to automatically run scripts before commits, pushes or other Git actions. Version 4.3.0, released in September 2020, builds upon the stable foundation of version 4.2.5, released in April 2020, with some subtle yet impactful changes worth noting for developers.
Both versions share the same core purpose: preventing bad commits and automating code quality checks by triggering scripts through Git hooks. They both rely on a similar stack of dependencies for core functionality such as ensuring compatibility across different CI environments (ci-info), locating package directories (pkg-dir), resolving configuration files (cosmiconfig), managing Node.js version requirements (please-upgrade-node), ensuring cross-platform compatibility for file paths (slash), and stylish terminal output (chalk).
The key difference lies in the updated version of cosmiconfig, which jumps from version 6.0.0 in 4.2.5 to version 7.0.0 in 4.3.0. This often signifies potential changes in how configuration files are handled, potentially affecting developers using configuration-heavy setups. The unpacked size of the newer version is also slightly bigger, going from 50854 bytes to 50967 bytes. Although being small, it could also suggest code improvements and bug fixes. Developers should consult the changelog and documentation for cosmiconfig to understand the implications of this upgrade for their specific workflows when migrating to version 4.3.0.
All the vulnerabilities related to the version 4.3.0 of the package
semver-regex Regular Expression Denial of Service (ReDOS)
npm semver-regex is vulnerable to Inefficient Regular Expression Complexity
Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
