Version 1.1.4 of the csvtojson Node.js package introduces subtle but noteworthy differences compared to its predecessor, version 1.1.3. Both versions share the core functionality of converting CSV data into JSON format, offering a customized parser to accommodate various CSV structures. They depend on the same version of lodash (^4.17.3) for utility functions and use an identical set of development dependencies focused on building, testing, and maintaining the package, including Grunt, Browserify, JSHint, Uglify, and Mocha.
A key distinction lies within the repository field of the package manifest. Version 1.1.4 specifies the repository URL with "git+https," suggesting a slightly more explicit instruction for Git clients, potentially influencing how the package is cloned or accessed. This might be relevant if developers are using a specific Git client setup.
Furthermore, the releaseDate differs significantly, with version 1.1.4 being published on February 3, 2017, while version 1.1.3 was released on January 23, 2017. This ten-day gap implies that version 1.1.4 likely includes bug fixes, minor enhancements, or dependency updates addressed after the release of version 1.1.3. Developers should consider this timeline when choosing between the two, opting for the newer version for increased stability and potential improvements. While the absence of detailed changelogs makes pinpointing specific code changes difficult, the updated release date and the repository URL tweak suggest a refined and potentially more robust iteration of the tool.
All the vulnerabilities related to the version 1.1.4 of the package
CSVTOJSON has a prototype pollution vulnerability
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
