Hoek is a small but useful Node.js utility library crafted for general-purpose tasks. Comparing versions 6.0.2 and 6.0.1, both maintain the same core description and BSD-3-Clause license, ensuring its accessibility and open-source nature. The code repository remains consistent, hosted on GitHub under the hapijs organization, promising reliable hosting and community support. Crucially, both versions share identical dependencies and development dependencies, utilizing code and lab for testing which suggests a focus on code quality and testing rigor during the development.
The key difference to note lies in the release dates and unpacked size, indicating potential internal changes. Version 6.0.2 was released on November 6, 2018, a few days after 6.0.1's release on November 3, 2018. This short time span suggests a swift fix or minor enhancement prompted the update. The unpacked size also changed from 28321 to 29235. For developers, such a minor version increment and increased size signal a patch or a minor feature implementation rather than a large overhaul. Developers should check the release notes or commit history for specific changes, although the library typically focuses on providing reliable cloning, merging, and other utility functions. The similar dependency profile and short release difference imply a smooth, safe upgrade for users already on the v6 branch, without any breaking changes.
All the vulnerabilities related to the version 6.0.2 of the package
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.
