Watchpack is a library designed for efficient directory and file watching, commonly used in development workflows that require monitoring file system changes for automated rebuilds or updates. Comparing versions 1.4.0 and 1.3.1, the primary difference lies in the chokidar dependency. Version 1.4.0 updates chokidar to version 1.7.0, while version 1.3.1 uses chokidar version 1.4.3.
This chokidar version upgrade likely incorporates bug fixes, performance improvements, or new features offered by the newer chokidar release. Developers should investigate the chokidar changelog between these versions to understand the specific changes. Upgrading to Watchpack 1.4.0 is recommended to take advantage of a more stable and performant file watching experience.
The other dependencies like async and graceful-fs remain consistent between the two versions, suggesting a focused update on the core file watching mechanism. The development dependencies, including testing and linting tools, are also identical, implying that the development and testing processes remained consistent during this version bump. The library is licensed under MIT, providing flexibility for integration in various projects. It's essential to keep an eye on dependency updates within libraries like Watchpack, as they often address critical issues and enhance overall stability. Using the update to 1.4.0 should offer a more secure and performant experience thanks to the Chokidar update.
All the vulnerabilities related to the version 1.4.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Regular Expression Denial of Service (ReDoS) in braces
A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in braces
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 2.3.1 or higher.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
