Micromatch version 4.0.6 represents an incremental update to the popular glob matching library, building upon the foundation established in version 4.0.5. Key improvements are evident in the dependency updates, showcasing a commitment to leveraging the latest advancements in related packages. Notably, braces jumps from version 3.0.2 to 3.0.3 and picomatch sees a significant upgrade from version 2.3.1 to 4.0.2, suggesting potential enhancements in brace expansion and core matching algorithms, respectively. Developers can expect benefits from these updates such as bug fixes, performance improvements, and possibly new features inherited from these dependencies.
The development environment also receives attention with mocha being updated from version 9.2.2 to 10.4.0 and minimatch jump from 5.0.1 to 9.0.3, potentially streamlining the testing process and ensuring compatibility. While fill-range, time-require, and gulp-format-md remain consistent, the significant version bumps in core dependencies highlight the evolution of the micromatch library.
Beyond dependency updates, developers might see subtler performance gains or refined behavior in edge cases due to the updated algorithms within braces and picomatch. The increase in unpacked size from 55947 to 57044 also hints at internal code enhancements or newly added features. Finally, the update from March 2022 to May 2024 indicates a dedication to ongoing maintenance and improvement. Overall users can use the newer version without any risks.
All the vulnerabilities related to the version 4.0.6 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
