Webpack 4.35.3 is a minor update to the popular JavaScript module bundler, following the 4.35.2 release. While the core functionality remains consistent, several dependency updates differentiate the two versions. A notable change is the update of the "acorn" dependency from version 6.0.5 to 6.2.0. Acorn is a tiny, fast JavaScript parser, and this upgrade likely includes bug fixes and performance enhancements, improving the overall parsing efficiency of Webpack. Another difference is the removal of "acorn-dynamic-import" dependency, which might be incorporated in newer acorn version or refactored in webpack own code.
Developers will also notice a small change in the unpacked size, with 4.35.3 being marginally larger than its predecessor (1398524 vs 1398510), potentially due to the updated dependencies. The release date also distinguishes the versions; 4.35.3 was published on July 8, 2019, after the 4.35.2 release on July 1, 2019.
For developers, upgrading from 4.35.2 to 4.35.3 should be relatively seamless, given the minor nature of the update. The updated Acorn version can provide benefits in terms of performance. Overall, Webpack 4.35.3 maintains the core strength of Webpack 4, offering robust module bundling capabilities with enhanced dependency management.
All the vulnerabilities related to the version 4.35.3 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
