Sinon, a popular JavaScript library for creating test spies, stubs, and mocks, saw a notable update between version 3.2.1 and 3.3.0. Both versions maintain the core purpose of aiding developers in writing cleaner and more effective unit tests by providing tools to isolate and control dependencies. A key distinction lies in the development dependencies. Version 3.3.0 upgraded its ESLint version from 3.1.1 to 4.6.1, indicating a shift towards newer linting rules and potentially stricter code quality enforcement during development. Notably, version 3.3.0 included a new dependency, "lodash.get": "^4.4.2", while this one was not present in its predecessor. Lodash is a widely used utility library and lodash.get is part of it offering a robust way to safely access nested object properties, which provides better data handling capabilities within Sinon's internal workings. This means developers using Sinon 3.3.0 might indirectly benefit from more streamlined and potentially safer object property access within Sinon's functionalities. Both versions share the same core dependencies, a testament to the established functionality and consistent API. The update signifies more than just a version bump because it suggests improvements around code linting and internal data access, potentially making it a more robust and maintainable library for developers leveraging Sinon in their testing workflows. The upgrade to ESLint hints at better adherence to modern JavaScript coding standards, which is always a plus for code maintainability and collaborating in teams.
All the vulnerabilities related to the version 3.3.0 of the package
Deserialization Code Execution in js-yaml
Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer.
const yaml = require('js-yaml');
const x = `test: !!js/function >
function f() {
console.log(1);
}();`
yaml.load(x);
Update js-yaml to version 2.0.5 or later, and ensure that all instances where the .load() method is called are updated to use .safeLoad() instead.
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Regular Expression Denial of Service in timespan
Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.
The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.
No direct patch is available for this vulnerability.
Currently, the best available solution is to use a functionally equivalent alternative package.
It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.