Ts-loader is a TypeScript loader for webpack, streamlining the process of integrating TypeScript code into webpack-based projects. Comparing versions 5.2.1 and 5.2.0, developers will find that the core dependencies remain consistent; both versions rely on packages like chalk, semver, micromatch, loader-utils, and enhanced-resolve for underlying functionality. Similarly, the development dependencies, which encompass tools for testing, linting, and building, exhibit no changes between the two versions. These include crucial packages like typescript, webpack, karma, mocha, and various Babel-related packages.
The key distinction lies in the release dates and potentially subtle internal improvements or bug fixes incorporated in version 5.2.1. Version 5.2.0 was released on September 23, 2018, while version 5.2.1 followed shortly after on September 25, 2018. This suggests that the update from 5.2.0 to 5.2.1 might be addressing immediate issues discovered post-release. The relatively small difference in unpackedSize hints at minor code adjustments rather than significant feature additions. It's crucial for developers to consult the changelog (if available) accompanying version 5.2.1 to fully understand the specific changes and bug fixes it brings. Even if the changelog is not available, the general recommendation is to use the newest version of the library, and in this case is the 5.2.1. The peerDependencies specifies that any version of Typscript is supported.
All the vulnerabilities related to the version 5.2.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
