Gulp version 0.0.7 represents a significant update from version 0.0.5, introducing notable changes in its dependencies and development dependencies. For developers, the clear shift in dependency management is key. Version 0.0.7 specifies exact versions for core dependencies such as mkdirp (0.3.5), optimist (0.6.0), glob-stream (0.0.3), and event-stream (3.0.15). This contrasts sharply with version 0.0.5, which used wildcard versioning ("*") for async, glob-stream, and event-stream. This change ensures greater stability and predictability in your builds, mitigating potential breaking changes introduced by updates to those dependencies, a really important thing for those that want a more stable environment and reproducible builds.
Moreover, version 0.0.7 utilizes specific versions of its developer dependencies mocha (1.12.0), rimraf (2.2.0), and should (1.2.2), while version 0.0.5 used wildcard versioning for both mocha and should. The introduction of rimraf as a development dependency in 0.0.7 suggests potentially improved tooling or testing processes within the gulp build environment.
For those reliant on the stability of gulp builds, upgrading to version 0.0.7 offers a valuable trade-off in predictability. The inclusion of precise version constraints in dependencies reduces the risk of unexpected issues arising from upstream updates, leading to a more consistent and reliable build process. Also keep an eye to the changes in the new dependencies introduced like mkdirp and optimist that can be used in the gulpfile.js to get the maximum potential from the framework.
All the vulnerabilities related to the version 0.0.7 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
