Sass version 1.10.4 is a minor release following 1.10.3 of the popular pure JavaScript implementation of Sass, a preprocessor scripting language that is interpreted or compiled into Cascading Style Sheets (CSS). Both versions, licensed under MIT, share the same core foundation, providing developers with the ability to write clean, structured, and maintainable CSS. Key features remain consistent, including functionalities for variables, nesting, mixins, and inheritance, streamlining the development process and enhancing code reusability.
A primary dependency for both releases is chokidar, ensuring efficient file watching capabilities, which is crucial for automatically recompiling Sass files upon changes during development a key part of developer workflows. The author and repository details are also identical, tracing back to Natalie Weizenbaum and the dart-sass project on GitHub, reflecting stability in the project's maintainership and source.
The most notable difference lies in the dist section. Version 1.10.4, released on August 10, 2018, has a slightly decreased unpackedSize of 688063 bytes compared to version 1.10.3's 688158 bytes, released a week earlier on August 3, 2018. While both have the same fileCount of 4, this small size difference likely indicates minor optimization within the codebase, potentially including bug fixes or performance improvements. For developers, upgrading from 1.10.3 to 1.10.4 promises the same robust Sass functionality with possibly enhanced efficiency.
All the vulnerabilities related to the version 1.10.4 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
