Webpack versions 4.28.4 and 4.28.3 are both iterations of the popular JavaScript module bundler, designed to package CommonJs/AMD modules for browser usage and support various file preprocessing loaders. Examining the provided data, the core functionality and dependencies remain largely consistent between the two versions. Key dependencies like ajv, acorn, tapable, and webpack-sources are present with the same version constraints. Similarly, development dependencies crucial for testing and linting such as eslint, jest, prettier, and various loaders for CSS, JSON, and other file types demonstrate no significant changes.
The distinguishing factor lies in the dist attribute, particularly the unpackedSize and releaseDate. Version 4.28.4 has an unpacked size of 1374303 bytes, while 4.28.3 has an unpacked size of 1374033 bytes. While a minor difference, this suggests subtle internal changes, such as bug fixes, performance tweaks, or small adjustments to the bundled output. Developers should review the changelog, if available, to understand the exact nature of these modifications. The release date confirms 4.28.4 as the newer version, released on January 10, 2019, approximately two weeks after 4.28.3. Updating to version 4.28.4 is generally recommended to benefit from any improvements, provided compatibility with existing projects is verified. Developers should ensure their build pipelines and configurations are compatible.
All the vulnerabilities related to the version 4.28.4 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
