Ts-loader versions 5.3.0 and 5.2.2 are both TypeScript loaders for webpack, facilitating the integration of TypeScript code into webpack-based projects. Both versions share the same core dependencies like chalk, semver, micromatch, loader-utils, and enhanced-resolve, ensuring consistent compatibility with related tools. Similarly, their development dependencies, including tools for testing, linting, and building, such as glob, babel, karma, tslint, and webpack, remain largely consistent.
However, the primary discernible difference resides in the release date and potentially some under-the-hood bug fixes and minor improvements. Version 5.3.0 was released on October 31, 2018, whereas version 5.2.2 came out on October 14, 2018. Looking at the dist object the unpacked size of version 5.3.0 is a litte bigger than the unpacked size of the version 5.2.2. Developers considering an upgrade from 5.2.2 to 5.3.0 should note that the core functionality and dependencies appear unchanged. Upgrading offers peace of mind through the latest bug fixes and tweaks. While this particular update seems incremental, staying current generally ensures optimal compatibility and stability within their webpack-based TypeScript workflows. It's always a good practice to review the ts-loader's changelog for the specific changes from each version and test the updated version in a development environment.
All the vulnerabilities related to the version 5.3.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
