Webpack version 4.29.6 arrived on February 28, 2019, succeeding version 4.29.5 released on February 18, 2019. While both maintain the same core functionality of bundling CommonJs/AMD modules for browsers and supporting various loaders for different file types, some notable differences emerge upon closer inspection for developers.
The primary distinctions lie within the dependency updates. Version 4.29.6 upgrades several @webassemblyjs packages, specifically @webassemblyjs/ast, @webassemblyjs/wasm-edit, and @webassemblyjs/wasm-parser, and @webassemblyjs/helper-module-context all moving from version 1.8.3 to 1.8.5. These updates likely incorporate bug fixes, performance enhancements, or new features related to WebAssembly support within Webpack. Developers utilizing WebAssembly modules in their projects will benefit most from these upgrades, potentially experiencing improved compilation and runtime behavior.
While the core functionality remains the same, developers that leverage WebAssembly when bundling might be interested in the new features included in this version. If you are not actively using WebAssembly then the update is not crucial, but as always is recommended if no breaking changes are introduced. Also note the unpackedSize increasing from 1,380,166 to 1,380,250 may be an interesting data point for teams that maintain a very strict policy in the used disk size for CI/CD processes.
All the vulnerabilities related to the version 4.29.6 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
