Grunt-open is a Grunt task designed to simplify the process of opening URLs and files directly from your Grunt configuration, streamlining your development workflow. Comparing versions 0.2.0 and 0.2.1, while both share the same core functionality and author details, a developer should note a key difference in their dependency management regarding the "open" package. Version 0.2.0 explicitly requires "open" version 0.0.2. Version 0.2.1 introduces a more relaxed dependency constraint, specifying "~0.0.2" for the "open" package. This seemingly small change allows for potentially compatible updates (like patch releases) within the 0.0.2 range, giving users the benefit of bug fixes or minor improvements without being locked into the precise initial release.
Both versions depend on "grunt" (version ~0.4.0) and "grunt-contrib-jshint" (version ~0.1.1) for task running and code quality checks, respectively, indicating a commitment to Grunt's ecosystem and code maintainability. Published roughly five months apart, (February 2013 and July 2013) version 0.2.1 likely addresses minor issues experienced by early adopters of 0.2.0. Developers considering using or updating to grunt-open should assess whether the loosened dependency on the open package in version 0.2.1 offers advantages in terms of compatibility and potential bug fixes, weighed against the stability of a pinned dependency. Ultimately, both support streamlining workflows by automating the browser opening or file access part of Grunt-based builds.
All the vulnerabilities related to the version 0.2.1 of the package
Command Injection in open
Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.