Normalize-url version 5.0.0 introduces several updates compared to the previous stable version 4.5.1, impacting developers relying on this utility for URL normalization. Key differences lie in the updated development dependencies. Version 5.0.0 upgrades xo to ^0.25.3 and nyc to ^15.0.0, while version 4.5.1 uses xo@^0.24.0 and nyc@^14.1.1. The tsd version also sees a bump from ^0.8.0 to ^0.11.0. Developers should evaluate these dependency updates for compatibility with their existing projects.
Interestingly, despite these updates, the unpacked size decreases from 18105 bytes in version 4.5.1 to 17059 bytes in version 5.0.0, suggesting potential optimizations in the codebase or build process. The release dates also highlight a substantial gap, with version 5.0.0 released on January 31, 2020, and version 4.5.1 released much later on May 24, 2021 which is odd, and could be a typo. Both versions maintain the MIT license and the same repository, author, and funding information, indicating no changes in ownership or licensing terms. Developers should consider these factors when choosing between the two versions, especially regarding dependency compatibility, possible bug fixes or perfomance improvements. Reviewing the changelog and commit history is recommended for a complete understanding of the changes.
All the vulnerabilities related to the version 5.0.0 of the package
ReDoS in normalize-url
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
