Read-package-json version 1.1.7 introduces a minor update to the package, building upon the solid foundation established in version 1.1.6. Both versions serve the crucial function of reliably reading and interpreting package.json files, a vital process for Node.js development and dependency management, especially within the npm ecosystem. They handle the intricacies of default values, semantic interpretation, and validation, ensuring your project's configuration is correctly understood.
The core dependencies remain largely consistent between the two versions, with shared reliance on tested packages like glob for file pattern matching, lru-cache for performance optimization and graceful-fs for its robust file system operations, including handling of awkward situations. The key change lies in the update of normalize-package-data, bumped from version ~0.2.7 to ~0.2.9 in version 1.1.7. This suggests that one of the improvements involved normalization and validation of the data, possibly addressing edge cases or compatibility issues with different package.json structures. Developers upgrading from 1.1.6 should be aware of the updated package data handling rules; this could have some effect on data in very custom package setups. While the change is small, it reflects the project's commitment to refining its core functionality and reliability. Maintained since 2014 by Isaac Z. Schlueter, both versions use an ISC license.
All the vulnerabilities related to the version 1.1.7 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.