Sass version 1.14.3 represents a minor update to the Dart Sass implementation following version 1.14.2. Both versions offer developers a pure JavaScript solution for compiling Sass stylesheets, ensuring compatibility across various JavaScript environments. Developers leveraging Sass for CSS pre-processing will find both versions equipped with the core functionality expected for efficient and organized stylesheet creation.
The primary shared dependency is chokidar, suggesting a focus on file system watching capabilities for automatic recompilation upon changes to Sass files. This is crucial for streamlining development workflows.
Delving into the specifics, the differences between the two versions are subtle but potentially important. While both packages maintain the same file count in their distribution, the unpacked size of version 1.14.3 is marginally larger than 1.14.2, hinting at possible bug fixes, performance enhancements, or minor feature additions within the Sass compiler itself. The difference in size is only of 608 bytes.
The release dates, separated by approximately a week, further indicate this as a targeted update. Developers are encouraged to upgrade to 1.14.3 to benefit from the most recent improvements, even if the changes are not explicitly laid out in a detailed changelog. It's always best practice to run the latest versions to patch bugs and gain extra features. The MIT license ensures open and flexible usage.
All the vulnerabilities related to the version 1.14.3 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
