Ts-loader version 5.1.0 is a minor release following closely on the heels of version 5.0.0, designed to provide seamless TypeScript integration with webpack. Both versions share the same core dependencies like chalk, semver, micromatch, loader-utils, and enhanced-resolve, ensuring consistent functionality for TypeScript compilation within webpack builds.
A key area of divergence lies in the development dependencies. Version 5.1.0 introduces an updated @types/node dependency, moving from version 9.6.2 to ^10.0.0, which could incorporate new features or security updates. Also, version 5.1.0 includes a minor update of fs-extra, which moved from the 6.0.0 to the ^7.0.0 including new features or potential bug fixes.
For developers considering an upgrade, the change in @types/node might be the most relevant factor, potentially requiring adjustments in their code if they rely on specific Node.js typings. The updates in the development dependencies suggest improvements in the tooling or testing environment used by ts-loader's maintainers. Both versions maintain the same license, repository, and author information, signifying a consistent commitment to open-source principles and maintainership.
Ultimately, the decision between versions 5.0.0 and 5.1.0 may hinge on the specific requirements of a developer's project, especially any reliance on the Node.js type declarations and also include the potential bug fixes from library fs-extra.
All the vulnerabilities related to the version 5.1.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
