Gulp-notify is a valuable gulp plugin for sending messages based on Vinyl files or errors to your operating system, supporting macOS, Linux, and Windows. It leverages the node-notifier module and gracefully falls back to Growl or simple logging for broader compatibility.
Version 3.0.0, released in January 2017, brings several key updates compared to the previous stable version 2.2.0 from January 2015. These changes often translate to improved stability, performance, and compatibility. Crucially, a developer should consider the dependency updates, notably the upgrades to 'through2' (from ^0.6.3 to ^2.0.3), 'gulp-util' (from ^3.0.2 to ^3.0.8), 'node-notifier' (from ^4.1.0 to ^5.0.1), and 'lodash.template' (from ^3.0.0 to ^4.4.0). These updated dependencies often include bug fixes, performance enhancements, and new features that the plugin utilizes.
Furthermore, the update to development dependencies, like mocha and should, enhances the reliability of the plugin, which can give a user more confidence in the stability of the solution.
Developers considering upgrading should evaluate these dependency changes for potential breaking changes in their existing gulp workflows. Upgrading to version 3.0.0 generally provides a more modern and well-maintained solution benefiting from the latest improvements within its dependency ecosystem.
All the vulnerabilities related to the version 3.0.0 of the package
OS Command Injection in node-notifier
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
