Gulp-notify is a handy plugin for Gulp that delivers system notifications across different operating systems, including macOS, Linux, and Windows, providing immediate feedback on your Gulp tasks. Version 1.2.2, released on March 22, 2014, builds upon the previous stable version, 1.2.1, released just a week prior on March 14, 2014. While both versions share core dependencies like through2 for stream manipulation, gulp-util for Gulp utilities, node.extend for object extension, and lodash.template for templating, the key difference lies in the node-notifier dependency. Version 1.2.2 updates this dependency to version ^2.0.3 from ^2.0.2 in version 1.2.1. This seemingly small update in node-notifier likely addresses minor bug fixes or enhancements related to notification handling, making version 1.2.2 a potentially more reliable choice for developers. Both versions are equipped with the same development dependencies, including gulp, mocha for testing, should for assertions, and gulp-plumber for error handling. If you're already using gulp-notify, upgrading to 1.2.2 is recommended for the potentially improved notification reliability offered by the updated node-notifier dependency. For new users, selecting 1.2.2 provides the most up-to-date stable experience.
All the vulnerabilities related to the version 1.2.2 of the package
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
OS Command Injection in node-notifier
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
