AVA 2.0.0 represents a notable evolution from its predecessor, AVA 1.4.1, offering several updated dependencies and refinements that enhance the testing experience. A significant change lies in the updated dependencies, bringing improvements in performance, security, and new features from underlying libraries. For instance, packages like del, globby, find-up, chokidar, and make-dir receive version bumps, likely incorporating bug fixes and potentially faster file system operations.
Developers will appreciate the modernized dependencies, particularly those related to Babel (@babel/core, @babel/generator), which enable support for the latest JavaScript syntax and features. The shift to newer versions of utilities such as lodash (individual modules were used in 1.4.1) and updated CLI tools like ora and chalk can lead to a smoother and more visually appealing testing output. While both versions share core dependencies like ms, meow, and debug, the updates ensure compatibility with recent Node.js environments and offer potential performance gains.
Dependency updates aside, the core functionality of AVA remains unchanged, meaning existing tests should largely remain compatible. However, developers should pay attention to the breaking changes introduced by the updated dependencies, especially for file system operations and Babel transformations, to ensure a seamless upgrade and that their test setups remain stable. The releaseDate difference (2019-06-01 vs 2019-03-27) indicates that 2.0.0 brings over two months of accumulated improvements and refinements contributing to a more polished testing framework.
All the vulnerabilities related to the version 2.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Got allows a redirect to a UNIX socket
The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
