AVA 2.3.0 represents a notable iteration over version 2.2.0, introducing several dependency updates that can impact developers using the testing framework. Key dependency upgrades in AVA 2.3.0 include advancements in Babel's core components, moving from version 7.5.0 to 7.5.5 for both @babel/core and @babel/generator. This ensures developers benefit from the latest features and bug fixes in the Babel ecosystem, crucial for modern JavaScript transpilation.
Other updated dependencies cover md5-hex, moving from 3.0.0 to 3.0.1 and source-map-support, incrementing from 0.5.12 to 0.5.13. This can result in more efficient source map handling, improving the debugging experience. AVA 2.3.0 leverages @ava/babel-preset-stage-4 version 4.0.0 (up from 3.0.0) and @ava/babel-preset-transform-test-files version 6.0.0 (up from 5.0.0). These upgrades enable developers to test code with ES2019+ features more reliably out of the box.
Notably, AVA 2.2.0 had dependencies on @babel/plugin-syntax-async-generators, @babel/plugin-syntax-object-rest-spread, and @babel/plugin-syntax-optional-catch-binding, which are no longer directly listed in AVA 2.3.0's dependencies. While seemingly a reduction, this change likely reflects a consolidation or inclusion of these functionalities within the core Babel presets, streamlining the dependency tree. Typescript also gets an update from 3.5.2 to 3.5.3 and lolex from 4.1.0 to 4.2.0 in the devDependencies that can bring slight improvements in internal developer tools. These updates ensure compatibility and alignment with the latest JavaScript standards, streamlining the testing process for developers.
All the vulnerabilities related to the version 2.3.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Got allows a redirect to a UNIX socket
The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
