Ts-loader is a popular webpack loader that enables developers to use TypeScript within their webpack-based projects. Comparing versions 5.4.3 and 5.4.4 reveals subtle but potentially valuable differences for developers seeking optimal configuration and performance in their TypeScript builds.
Both versions share identical dependencies and devDependencies, signifying consistent tooling and underlying library support. Dependencies like chalk, semver, micromatch, loader-utils, and enhanced-resolve remain the same, ensuring that core functionalities related to console styling, version handling, file matching, and module resolution are unchanged. Likewise, the array of devDependencies for testing, linting, transpilation, and other development-time tasks, including webpack, typescript, karma, mocha, and Babel-related packages, remain the same in both versions.
The key difference lies in the dist object specifically the unpackedSize. Version 5.4.4 has an unpacked size of 344911 bytes, while version 5.4.3 has 344577 bytes. This indicates that version 5.4.4 contains a slight increase (334 bytes) in the bundled code compared to the previous version. While the difference is minor, developers conscious of bundle size or those facing particular edge cases might want to investigate the changes leading to this size increase. The release dates also show that version 5.4.4 was released shortly after 5.4.3 (4 days later), suggesting that the release may have patched an issue in the previous release and the changes in size may reflect this.
All the vulnerabilities related to the version 5.4.4 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
