History version 1.12.6 represents a minor update to the history package, building upon the foundation laid by version 1.12.5. Both versions offer a minimal and functional JavaScript implementation for managing browser history, a crucial aspect of single-page applications and complex web interfaces. They share identical core dependencies, including "deep-equal," "invariant," "qs," and "warning," ensuring consistent handling of object comparisons, runtime assertions, query string parsing, and controlled error reporting respectively. Similarly, their development dependencies are the same, suggesting a unified build and testing process leveraging tools like Babel for ES6 transpilation, ESLint for code linting, Webpack for bundling, and Karma for cross-browser testing.
The key distinction between the two lies in their release dates: version 1.12.6 was published on October 25, 2015, approximately two weeks after version 1.12.5, which was released on October 11, 2015. While the changelog is not provided here, the close proximity of the releases suggests that version 1.12.6 likely contains bug fixes, performance improvements, or minor adjustments addressing issues identified in the preceding version. Developers should note that while the API compatibility is most likely conserved between the two versions, it is always recommended to consult the official history package changelog or release notes to determine the specific changes included in version 1.12.6 before upgrading, ensuring a seamless integration and predictable behavior within their applications. The identical configuration of dependencies and development tools highlights the commitment to the project's stability and developer workflow.
All the vulnerabilities related to the version 1.12.6 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
