Coffee-coverage is a valuable tool for developers working with CoffeeScript, providing Istanbul and JSCoverage-style instrumentation to facilitate code coverage analysis. Versions 0.5.2 and 0.5.3 share the same core functionality, offering developers the ability to generate coverage reports for their CoffeeScript projects, ensuring thorough testing and code quality. The core dependencies remain consistent between the two versions, relying on Chai for assertions, Lodash for utility functions, Pkginfo for package information, Argparse for command-line argument parsing, and CoffeeScript itself for compilation. Development dependencies such as Mocha for testing, Sinon for spies and stubs, Istanbul for coverage analysis, and Coveralls for reporting are also identical, indicating a stable and well-supported toolchain.
The key difference between the two versions lies in their release dates. Version 0.5.3 was released on May 5th, 2015 at 21:28:37 UTC, while version 0.5.2 was released earlier that same day at 05:06:18 UTC. While the functional changes appears to be absent from the given data, this difference in release date suggests that version 0.5.3 likely includes bug fixes or minor improvements implemented after the release of 0.5.2. Developers should consider upgrading to the latest patch version to benefit from these potential enhancements and ensure they are using the most stable and reliable version of the library. The consistent dependencies and devDependencies across both versions emphasize the stability and maturity of the coffee-coverage package, making it a dependable choice for CoffeeScript projects requiring comprehensive test coverage.
All the vulnerabilities related to the version 0.5.3 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
