Grunt-browserify versions 1.3.1 and 1.3.0 offer Grunt tasks for integrating Node.js Browserify into your build process, streamlining the management of browser-compatible JavaScript modules within Grunt workflows. Both versions share core dependencies, including "browserify-shim," "through," "lodash," and "async," ensuring continuity in shim management, stream processing, utility functions, and asynchronous operations. The peer dependencies for both versions also remain the same needing "browserify":">=2.35 < 4.0.0" and "grunt":"~0.4.0".
The key divergence between these releases lies in their development dependencies, specifically impacting the Browserify version used during development. Version 1.3.1 updates the development dependency to "browserify":"~3.20". This indicates an upgrade to a more recent Browserify version during the development cycle, potentially introducing new features, bug fixes, or performance improvements that developers can leverage during testing and development with Grunt. Version 1.3.0 depends on an older Browserify version "browserify":"~3.0".
For developers considering an upgrade, this enhancement in 1.3.1 warrants attention. While the peer dependency remains unchanged, meaning the plugin supports Browserify versions 2.35 to less than 4.0.0, the development dependency update to 3.20 in version 1.3.1 can lead to more efficient and up-to-date Browserify development.
The newer version was released later ("releaseDate":"2014-02-11T23:57:20.329Z") than the older version ("releaseDate":"2013-12-13T18:13:50.135Z") offering bug fixes and performance improvements that the older version doesn't have.
All the vulnerabilities related to the version 1.3.1 of the package
thlorenz browserify-shim vulnerable to prototype pollution
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js.
thlorenz browserify-shim vulnerable to prototype pollution
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.
thlorenz browserify-shim vulnerable to prototype pollution
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
