Rollup Plugin Node Builtins, a tool designed to seamlessly integrate Node.js built-in modules into browser-based Rollup projects, saw a minor version update from 2.1.1 to 2.1.2. Examining the package data reveals a subtle yet important shift: the release date. Version 2.1.2 was published on May 10, 2017, a week after version 2.1.1 which was published on May 3, 2017.
While the core dependencies (browserify-fs, buffer-es6, crypto-browserify, process-es6) and development dependencies (babel-preset-es2015-rollup, debug, mocha, rollup, rollup-plugin-babel, rollup-plugin-node-globals, serve) remain consistent across both versions, this latest version addresses bug fixes, performance enhancements, or compatibility tweaks not explicitly detailed in the provided data.
Developers leveraging Rollup Plugin Node Builtins will find it invaluable for projects requiring Node.js core functionalities within a browser environment. By polyfilling essential modules, developers can maintain code consistency across platforms. The immutability of dependencies between versions 2.1.1 and 2.1.2 signifies a stable and reliable core. When upgrading, developers must therefore focus on the underlying Rollup configuration and any peculiar environment interactions of the code making use of the built-in modules to make sure everything works as intended.
All the vulnerabilities related to the version 2.1.2 of the package
Memory Exposure in bl
Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure.
bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory
Update to version 0.9.5, 1.0.1 or later.
Remote Memory Exposure in bl
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
