Sass version 1.8.0 introduces subtle but potentially impactful changes compared to its predecessor, version 1.7.3. Both versions, functioning as pure JavaScript implementations of Sass, share core characteristics like a dependency on chokidar (version 2.0.0 or higher) for file watching capabilities, the MIT license, and the same author, Natalie Weizenbaum. Developers familiar with the library will find a familiar foundation.
The primary difference lies in the unpacked size of the package, and the release date. Version 1.8.0 weighs in at 687,374 bytes when unpacked, a slight increase from the 686,142 bytes of version 1.7.3. This difference, although minimal, hints at internal code modifications, potential bug fixes, or minor feature enhancements. Released on June 30, 2018, version 1.8.0 arrived just two days after 1.7.3 which came out on June 28, 2018, suggesting a hotfix or very rapid iteration based on user feedback or identified issues.
For developers, these releases represent incremental improvements to a robust Sass compiler. While the dependencies and overall structure remain the same, the updated version may offer a more stable and refined experience due to potential bug fixes embedded within the increased size. Consequently, adopting version 1.8.0 is generally recommended for new projects and existing projects looking for the latest improvements, although a thorough testing procedure is always advised when upgrading dependencies.
All the vulnerabilities related to the version 1.8.0 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
