Grunt Open is a Grunt task designed to simplify the process of opening URLs and files directly from your Grunt build process, streamlining your workflow. Comparing version 0.2.2 with its predecessor, version 0.2.1, reveals a key update in its dependencies. Version 0.2.2 relies on the "open" package, a crucial dependency for platform-agnostic opening of files and URLs, specifying a version range of "~0.0.4". This represents an upgrade from version 0.2.1 which depended on "open": "~0.0.2". This subtle change potentially incorporates bug fixes, performance improvements, or new features within the "open" package itself. For developers integrating Grunt Open, staying updated with the "open" package's changes through semver is important since grunt-open depends on it. Both versions retain the same core functionality and development dependencies, including support for Grunt version 0.4.0 and the JSHint linter, ensuring code quality. The package repository remains consistent across both versions, hosted on GitHub. If you seek an easy convenient way to automate opening web pages or files during your Grunt-driven development, Grunt Open offers a targeted solution, evolving incrementally through dependency updates for enhanced functionality and reliability. Keep an eye on the "open" dependency's changelog to fully understand the improvements brought.
All the vulnerabilities related to the version 0.2.2 of the package
Command Injection in open
Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.