Ts-loader versions 3.3.0 and 3.3.1 are both TypeScript loaders for webpack, facilitating the integration of TypeScript code into webpack-based projects. Both versions share a common set of dependencies, including chalk, semver, micromatch, loader-utils, and enhanced-resolve, ensuring consistent support for features like colorful console output, semantic versioning, file matching, and module resolution. They also share the same development dependencies, such as webpack, typescript, babel-core, karma and related testing libraries, suggesting a stable development and testing environment.
The key difference between the two versions lies in their release dates. Version 3.3.0 was released on January 21, 2018, while version 3.3.1 followed shortly after on January 23, 2018. This close proximity suggests that version 3.3.1 likely contains bug fixes or minor improvements over its predecessor. Developers considering ts-loader should opt for the newer version (3.3.1) to benefit from these potential fixes and enhancements contributing to stability. Both versions are licensed under the MIT license, offering developers flexibility in their projects. Moreover, both point to the same repository and author, indicating continuity in the project's development and maintainership. For those currently building with webpack and typescript this loader is an essential tool to create awesome apps.
All the vulnerabilities related to the version 3.3.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
