Version 4.0.10 of @adobe/jsonschema2md introduces a minor adjustment compared to its predecessor, version 4.0.9. Both versions share the same core functionality, providing developers with a robust tool to validate and generate documentation for complex JSON Schemas, streamlining the development workflow. While the dependency list remains largely consistent between the two versions, a key difference lies in the es2015-i18n-tag dependency. Version 4.0.9 specifies the version as ^1.6.1, while version 4.0.10 uses 1.6.1 without the caret. This might indicate a deliberate choice to lock down the dependency to a specific patch version, potentially addressing compatibility concerns or ensuring consistent behavior.
Developers leveraging @adobe/jsonschema2md gain access to a rich ecosystem of tools including mocha for testing, yargs for command-line argument parsing, and js-yaml for YAML support. The underlying documentation generation relies on unified, remark-parse, and remark-stringify to provide flexibility needed to manipulate and converting markdown. Additionally, a suite of development dependencies like eslint, codecov, and semantic-release ensures code quality, test coverage, and automated releases. The patch bumps addresses internal improvements in the module size distribution and potentially tackles bug fixes, enhancing the overall stability of the tool. While superficial, such difference and release represent Adobe's commitment to maintain its library and address the necessity of its users.
All the vulnerabilities related to the version 4.0.10 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
Regular Expression Denial of Service in trim
All versions of package trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
