Bl is a Node.js library designed for efficiently managing and manipulating collections of Buffer objects. It presents a unified and streamable Buffer interface, simplifying the process of working with data that arrives in chunks. Version 1.1.2 is a minor update to the library, following closely on the heels of version 1.1.1, with both releases occurring on the same day, February 12, 2016.
A key aspect for developers is that both versions share identical dependencies and development dependencies, relying on "readable-stream" for stream functionality and "tape", "faucet", and "hash_file" for testing and related utilities. This suggests that the core functionality and API remain consistent between the two versions. The license remains MIT, a permissive open-source license, and the source code is hosted on GitHub, facilitating community contributions and transparency.
While a detailed changelog isn't provided in the metadata, the small version increment (1.1.1 to 1.1.2) hints at the update including bug fixes, performance improvements, or minor enhancements rather than significant feature additions. Developers already using bl should consider upgrading to 1.1.2 to benefit from these potential improvements and ensure they're running the most stable version. New adopters can confidently choose either version, but 1.1.2 is recommended due to its slightly later release date. Since backwards compatibility does not seem impacted, upgrading your project to the latest version should bring benefits without breaking important code.
All the vulnerabilities related to the version 1.1.2 of the package
Remote Memory Exposure in bl
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
