Read-package-json version 1.2.0 introduces a notable update to normalize-package-data, upgrading it to version ^0.3.0 from 0.2.13 in the previous stable version 1.1.9. This change could bring in new validation rules, data normalization enhancements, or bug fixes related to package.json files, which could directly affect developers relying on this library to process package metadata. Therefore, users upgrading should carefully review changes within the newer normalize-package-data library version to ensure compatibility and understand any new behaviors.
Both versions share the same core purpose: reliably reading and interpreting package.json files, offering crucial semantics, defaults, and validation essential for tools like npm. Key dependencies like glob, lru-cache, and graceful-fs remain consistent, suggesting the fundamental file reading and caching mechanisms haven't drastically changed between releases, aside from the normalize-package-data update. Version 1.2.0 was released on June 6th, 2014, while version 1.1.9 dates back to April 28th, 2014. This suggests a relatively short period between releases, potentially indicating a targeted update focusing on enhanced data normalization. Developers should test this update diligently when dealing with complex package.json configurations.
All the vulnerabilities related to the version 1.2.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.