React-dev-utils is a valuable collection of webpack utilities designed to streamline the development process when using Create React App. Comparing versions 0.3.0 and 0.4.0 reveals subtle but noteworthy changes for developers. Both versions share identical core dependencies, including opn for opening URLs, chalk for terminal styling, ansi-html for converting ANSI strings to HTML, strip-ansi for removing ANSI escape codes, html-entities for encoding and decoding HTML entities, sockjs-client for browser/server communication, and escape-string-regexp for escaping special characters in regular expressions. This means the fundamental functionalities related to terminal output, string manipulation, and browser communication remain consistent between the two versions.
However, a key difference lies in the peerDependencies. Version 0.3.0 explicitly declares a peerDependencies object with "webpack": "^1.13.2". This signifies that version 0.3.0 was explicitly tested and designed to work seamlessly with Webpack versions 1.13.2 or higher within the 1.x series. Removing the peerDependencies declaration in version 0.4.0 might indicate a broader compatibility or a shift in the testing strategy. While the core remains largely the same, developers should carefully consider their Webpack setup and test compatibility when upgrading from 0.3.0 to 0.4.0, ensuring that the removed peer dependency doesn't introduce unexpected behavior in their projects. The release date difference also highlights a period of refinement and potential bug fixes between the versions. Therefore, developers should check create-react-app release notes for information on improvements regarding version 0.4.0.
All the vulnerabilities related to the version 0.4.0 of the package
react-dev-utils OS Command Injection in function getProcessForPort
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Uncontrolled Resource Consumption in ansi-html
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Exposure of Sensitive Information in eventsource
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
