Ts-loader 4.1.0 brings subtle yet important updates for developers leveraging TypeScript with webpack. While the core functionality remains consistent with version 4.0.1, several dependency bumps indicate improvements in compatibility and bug fixes. Notably, the typescript dev dependency is updated from version 2.7.1 to 2.7.2, suggesting refinements in TypeScript compilation support. This can translate to better handling of the latest TypeScript features and potential resolutions for specific TypeScript-related issues.
Furthermore, The html-webpack-plugin was updated from version 2.17.0 to version 3.0.6.
A slight increase in fileCount (from 24 to 25) and unpackedSize (from 316916 to 548364) could reflect added features, updated build processes, or adjustments in included documentation or assets. Developers should examine the changelog for a comprehensive view of all alterations. While the impact of this upgrade will vary depending on project specifics, it's generally advisable to upgrade to the latest minor version to benefit from bug fixes, performance enhancements, and potential new features that keep the loader aligned with the evolving TypeScript and webpack ecosystems. This ensures codebases remain compatible with the newest tools and standards.
All the vulnerabilities related to the version 4.1.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
