Del-cli, a cross-platform command-line tool for deleting files and directories, saw a significant update moving from version 1.1.0 to 2.0.0. This update introduces notable changes in its dependencies, reflecting advancements in the underlying ecosystem.
Version 2.0.0 now relies on del version ^4.1.1, a jump from ^3.0.0 in the older version, signifying potentially improved deletion capabilities and bug fixes. Similarly, meow, a CLI argument parser, is updated to ^5.0.0 from ^3.6.0, implying enhancements in argument parsing and CLI experience. Importantly, update-notifier, present in v1.1.0 for notifying users of updates, has been removed as a dependency in v2.0.0, possibly indicating a change in how updates are managed or communicated.
The development dependencies also reveal a shift. While both versions utilize xo for code linting, ava for testing, and temp-write for temporary file writing, the specific versions have evolved. execa, a process execution library, is upgraded to ^1.0.0 from ^0.7.0. The newer version implies improvements in process handling and error reporting during development. Developers upgrading should note these changed dependency versions, ensuring compatibility within their existing projects. The updated del-cli promises a more current and potentially more robust solution for cross-platform file deletion, offering benefits of updated underlying libraries.
All the vulnerabilities related to the version 2.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
