AVA, the delightful JavaScript testing framework, released version 2.1.0, a minor update following the 2.0.0 stable release. Although seemingly small, this increment brings subtle improvements and dependency updates important for developers focused on stability and leveraging the latest tools.
A key difference lies in the updated dependencies. Version 2.1.0 boasts updated versions of ms, and chokidar in its dependencies. These updates likely address bug fixes, performance enhancements, or security patches within those dependencies, ultimately contributing to a more robust and reliable testing experience.
While the core functionality of AVA remains consistent between versions, developers will appreciate the refined dependencies and potential problem resolutions they bring. Notably, both versions share a wealth of valuable tools that ease testing such as bluebird for promise handling, lodash for utility functions and globby for file matching. AVA continues to deliver with concurrent test execution, concise syntax and isolated environments making the development process more effective. Developers should evaluate the updated dependencies to ensure compatibility with their projects and benefit from any improvements offered by the minor release. Users already on 2.0.0 will likely experience a smooth transition. The devDependencies include tools like xo for linting, nyc for test coverage, and react and react-test-renderer for testing React components.
In essence, version 2.1.0 represents a maintenance release focused on solidifying AVA's functionality through incremental dependency updates.
All the vulnerabilities related to the version 2.1.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Got allows a redirect to a UNIX socket
The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
