Vue 2.7.13 is a patch release focusing on incremental improvements and bug fixes over version 2.7.12. Both versions maintain the core functionality of Vue 2 as a reactive, component-oriented view layer for building modern web interfaces. The primary intended audience consists of developers already familiar with Vue 2 and those maintaining existing Vue 2 projects.
A key difference lies in the updated internal dependency @vue/compiler-sfc. Version 2.7.13 uses @vue/compiler-sfc@2.7.13 while 2.7.12 uses @vue/compiler-sfc@2.7.12. This update often addresses specific edge-case compilation issues or introduces minor enhancements in Single-File Component (SFC) processing. Although it seems like a minor update it's important for people using SFCs to update the minor vue dependency for performance and stability improvements. Furthermore, the dist section shows a slight increase in unpackedSize from approximately 4482KB to 4484KB, also indicating that the fixes improve the overall performances. The releaseDate is also an element to take into consideration, as the newer version dates two days after the previous release.
Developers should upgrade to Vue 2.7.13 to benefit from these refinements, especially if they've encountered any SFC-related quirks or compilation warnings in version 2.7.12. While not a feature release, these patch updates contribute to a more stable and reliable development experience within the Vue 2 ecosystem. This upgrade ensures compatibility and takes advantage of the latest refinements, ultimately leading to more robust web applications.
All the vulnerabilities related to the version 2.7.13 of the package
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.
To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.
new Vue({
el: '#app',
template: '
<div>
Hello, world!
<script>${'<'.repeat(1000000)}</textarea>
</div>'
});
Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:
<!DOCTYPE html>
<html>
<head>
<title>My first Vue app</title>
</head>
<body>
<div id=\"app\">Loading...</div>
</body>
</html>
When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.