Cross-env is a valuable npm package designed to solve the headache of setting environment variables consistently across different operating systems, particularly when running scripts. Versions 5.1.4 and 5.1.5 both serve this core purpose, allowing developers to write cross-platform scripts without worrying about platform-specific syntax for setting environment variables. Both rely on is-windows and cross-spawn as dependencies, and use kcd-scripts for development tasks, while maintaining the same MIT license and repository.
The key difference between versions 5.1.4 and 5.1.5 lies in the details behind the scenes. Version 5.1.5, released on May 9th, 2018, has a slightly larger unpacked size of 25835 bytes, compared to version 5.1.4's 25472 bytes, which was released on March 9th, 2018. This indicates internal improvements, potentially bug fixes or minor feature enhancements, rather than a significant overhaul. Developers upgrading from 5.1.4 to 5.1.5 should expect a stable transition, making them suitable for most use-cases. While the changelog isn't provided, the increased size suggests that this version could contain minor but imporant updates. Those relying on this package should consider updating.
All the vulnerabilities related to the version 5.1.5 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
