Csvtojson is a Node.js package designed to convert CSV data into JSON format, offering a flexible and customizable parsing experience. Comparing version 1.1.0 with the previous stable version, 1.0.3, reveals key changes that developers should consider.
The most notable difference lies in the dependencies. Version 1.0.3 relies on the async library (version ^1.2.1) for asynchronous operations, whereas version 1.1.0 removes this dependency. The removal of async suggests a potential refactoring of the code to handle asynchronous tasks differently, possibly using newer JavaScript features like Promises or async/await, potentially leading to performance improvements or a more streamlined codebase. Both versions depend on minimist (version ^1.2.0).
Both versions share an identical set of development dependencies, including tools for linting (grunt-contrib-jshint), minification (grunt-contrib-uglify), testing (grunt-mocha-test, mocha), and build automation (grunt, grunt-browserify, load-grunt-tasks). This consistency indicates a stable development workflow across both versions. Both versions are licensed under the MIT license, and both repositories use git, making the library easy to use in several projects.
Developers migrating from 1.0.3 to 1.1.0 should investigate the implications of the async library removal. Projects heavily relying on the specific asynchronous behavior provided by async might require adjustments to ensure compatibility. However, the change could also represent a more modern and efficient approach to asynchronous handling, potentially simplifying the code and improving performance. Consider testing how the new version deals with different CSV files formats, sizes and encoding that your code handles.
All the vulnerabilities related to the version 1.1.0 of the package
CSVTOJSON has a prototype pollution vulnerability
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
