Micromatch, a popular JavaScript library for glob matching, saw a minor version update from 4.0.4 to 4.0.5, bringing subtle improvements and dependency updates. Both versions offer a replacement and faster alternative to libraries like minimatch and multimatch, making them ideal for file system traversal, build processes, and other tasks requiring pattern matching.
The key differences lie within the dependency updates. Version 4.0.5 upgrades the braces dependency to ^3.0.2 and picomatch to ^2.3.1. This is important because these updates usually include bug fixes, performance enhancements, and potentially new features within those underlying libraries. Developers should particularly note picomatch update considering it is the core of the glob matching in micromatch.
Furthermore, there's a shift in the development dependencies. While both versions include tools like fill-range, time-require, and gulp-format-md, the versions of mocha and minimatch differ. Version 4.0.5 uses mocha":"^9.2.2" and minimatch":"^5.0.1", whereas 4.0.4 relies on mocha":"^7.2.0" and minimatch":"^3.0.4". These updates, while primarily for development and testing, suggest an ongoing effort to stay current with the latest testing frameworks and related tools. Finally, the package size decreased to 55947 unpacked size, potentially showing some optimization. If you're already using Micromatch, upgrading to 4.0.5 is recommended to benefit from the latest fixes.
All the vulnerabilities related to the version 4.0.5 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
