Sass version 1.14.0 introduces subtle changes compared to its predecessor, version 1.13.4, both being JavaScript implementations of the popular Sass CSS preprocessor. While both versions share the same core description, licensing under the MIT license, and dependency on the chokidar library for file watching, a closer examination reveals minor differences that could be relevant to developers. The core functionality, allowing developers to write cleaner, more maintainable CSS with features like variables, mixins, and nesting, remain consistent.
The most notable disparities lie in the dist object, which describes the distribution package. Version 1.14.0 has a slightly smaller unpacked size of 647078 bytes compared to 1.13.4's 647630 bytes. Whether this size difference reflects performance improvements, bug fixes, or internal code restructuring is not explicitly stated but could potentially translate to slightly faster execution or reduced memory footprint. Both include 4 files within the package.
Furthermore, the release dates highlight a short development cycle between the versions. Version 1.13.4 was released on September 11, 2018, followed by version 1.14.0 just over a week later on September 19, 2018. This rapid succession suggests that version 1.14.0 might address specific issues identified in 1.13.4 or introduce minor enhancements discovered shortly after the previous release. Developers should consider these factors while deciding which version to utilise within their projects.
All the vulnerabilities related to the version 1.14.0 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
