Class-validator is a popular npm package facilitating class-based validation within Typescript, ES6, and ES5 environments. It leverages decorators and validation schemas, proving valuable for both Node.js and browser-based applications. Comparing versions 0.7.2 and 0.7.3, the core functionalities remain consistent, offering developers a robust validation mechanism. The primary dependency, "validator," remains at "^7.0.0" in both versions, ensuring continued compatibility with that underlying validation library.
The significant distinction lies in the release dates. Version 0.7.3 was published on October 17, 2017, whereas version 0.7.2 was released on June 27, 2017. This four-month gap suggests that version 0.7.3 likely incorporates bug fixes, performance enhancements, or minor feature additions not present in the earlier version. Developers should prioritize using version 0.7.3 to benefit from these improvements and ensure a more stable validation process.
For developers considering class-validator, both versions provide a rich set of development dependencies, including tools for testing (Chai, Mocha, Sinon), linting (TSLint), and build processes (Gulp, Typescript). These dependencies signal a commitment to code quality and a well-structured development workflow. The inclusion of "@types" packages indicates strong TypeScript support, crucial for projects leveraging static typing. Therefore, upgrading to the newest release is advised to leverage potential improvements and bug fixes, thus guaranteeing a more efficient system.
All the vulnerabilities related to the version 0.7.3 of the package
SQL Injection and Cross-site Scripting in class-validator
In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.
The default settings for forbidUnknownValues has been changed to true in 0.14.0.
NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
Inefficient Regular Expression Complexity in validator.js
validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity
