Csvtojson is a Node.js package designed for converting CSV data into JSON format, offering developers a flexible and customizable parsing experience. Comparing versions 1.1.3 and 1.1.2 reveals subtle yet important differences for those utilizing the library in their projects. Both versions share the same core functionality, description, dependencies (including lodash), development dependencies (such as grunt and associated plugins for building and testing), license (MIT), repository, and author information. The key distinction lies in their release dates: version 1.1.3 was released on January 23, 2017, while version 1.1.2 was released on January 5, 2017.
This suggests that version 1.1.3 likely contains bug fixes, performance improvements, or minor feature enhancements implemented after the release of version 1.1.2. While the specific changes aren't explicitly detailed in the provided data, developers should generally opt for the newer version (1.1.3) to benefit from the latest refinements and stability improvements. For projects already using csvtojson, upgrading to version 1.1.3 is recommended to ensure they are running the most up-to-date version. To find a detailed list of changes, developers should consult the package's changelog file (if available) within the Github repository. Both versions provide a robust solution for CSV to JSON conversion within Node.js environments.
All the vulnerabilities related to the version 1.1.3 of the package
CSVTOJSON has a prototype pollution vulnerability
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
