Webpack version 4.26.0 introduces a subtle but significant shift in its plugin ecosystem, replacing uglifyjs-webpack-plugin with terser-webpack-plugin within its dependencies. This change reflects the evolution of JavaScript tooling, favoring Terser, a more actively maintained and modern alternative to UglifyJS for minimizing and mangling JavaScript code. For developers, this translates to potentially better performance and compatibility with newer JavaScript syntax features during the minification process, leading to smaller and more efficient bundles. Although most of the dev dependencies remained the same, this updated tool is a crucial part of the build process, therefore it's a good indicator of quality updates. While both 4.25.1 and 4.26.0 maintain the same core dependencies and development tools, such as those for linting, testing, and code transformation, the change to Terser signifies a commitment to staying current with JavaScript best practices. Developers upgrading should be aware of potential configuration differences between the two minification plugins, although the default behavior is likely similar for most common use cases. Consider reviewing the TerserWebpackPlugin documentation to ensure configurations are optimally aligned with your project's needs. These changes collectively result in greater flexibility and robustness in optimizing code.
All the vulnerabilities related to the version 4.26.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
