The html-to-text npm package provides a straightforward solution for converting HTML content into plain text, ideal for scenarios where you need to extract readable text from HTML documents, such as email processing, data analysis, or creating text-based previews. Version 0.0.4 increments upon the previous stable version 0.0.3 by introducing the "optimist" package as a new dependency. This suggests an evolution in how the library handles command-line arguments or configuration options. Developers migrating from 0.0.3 should note this new dependency and ensure it's included in their project.
Both versions share core dependencies like "htmlparser," "underscore," and "underscore.string," signifying a continued reliance on these libraries for HTML parsing and string manipulation. "htmlparser" likely handles the structural analysis of the HTML, while "underscore" and "underscore.string" facilitate data manipulation and text processing within the conversion logic. The MIT license across both versions guarantees freedom for developers to use, modify, and distribute the package.
The author, Malte Legenhausen, remains consistent across both releases, signifying a stable point of contact and potentially a reliable source for future updates. While the core function remains the same - converting HTML to text - the addition of "optimist" in version 0.0.4 may open new functionalities related to argument parsing and potentially affecting configuration of the library. Developers considering an upgrade should investigate how optimist integration changes the library's API and options.
All the vulnerabilities related to the version 0.0.4 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
