Webpack 4.35.2 is a minor patch release following closely after version 4.35.1, both iterations of the popular module bundler used extensively in modern JavaScript development. Analyzing the package metadata reveals few discernible differences between these two versions, primarily in the timestamps associated with their release dates and the slight variation present in the unpacked size of the packages. This small size difference may hint at minimal code changes or optimization tweaks. Both versions share the same core description, dependencies, and devDependencies, indicating a stable and consistent feature set.
For developers, this suggests that upgrading from 4.35.1 to 4.35.2 should be a seamless experience with a very low possibility of introducing breaking changes. The library continues to offer robust functionality for bundling CommonJs/AMD modules, code splitting, and loader support for various file types like JSON, JSX, CSS, and more. Developers can continue to leverage webpack's capabilities for managing complex project dependencies, optimizing asset delivery, and enhancing overall web application performance. Both versions rely on a well-established ecosystem of plugins and loaders, promoting flexibility and customization to fit specific project requirements. With the consistent suite of tools and features, developers can be confident in their bundling process without having to refactor the code.
All the vulnerabilities related to the version 4.35.2 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
