Webpack versions 4.29.1 and 4.29.0 are closely related, sharing the same core functionality for bundling JavaScript modules and other assets for web applications. Both versions enable developers to split codebases into manageable bundles, optimizing load times and improving user experience through on-demand loading. They offer support for a wide variety of loaders that preprocess different file types, including JSON, JSX, CSS, and LESS, providing flexibility when working with diverse project structures.
Examining the 'package.json' differences reveals that the dependency and devDependency listings are virtually identical. Both versions rely on the same versions of crucial libraries such as ajv, acorn, tapable, webpack-sources, and enhanced-resolve to guarantee core compilation and resolution capabilities. The crucial difference lies within the distribution metadata. While both versions maintain identical file counts (346), version 4.29.1 has a slightly larger unpacked size (1379331 bytes) compared to version 4.29.0 (1378801 bytes). More importantly, version 4.29.1 was released on February 4th, 2019, whereas version 4.29.0 was released on January 20th, 2019. While the specific changes are not expanded on in the package data, upgrading between these minor versions usually entails subtle bug fixes and performance updates to ensure stability. Developers should consider upgrading from 4.29.0 to 4.29.1 to benefit from these incremental improvements.
All the vulnerabilities related to the version 4.29.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
