The html-to-text npm package offers a handy solution for developers needing to extract readable text from HTML content. Version 1.2.0, released in January 2015, builds upon the foundation laid by version 1.1.1, which was released in December 2014. Both versions share the same core dependencies: htmlparser for parsing HTML, underscore for utility functions, underscore.string for string manipulation, and optimist for command-line argument parsing (though its direct use might not be immediately apparent to all users).
The key difference lies in the introduction of development dependencies in version 1.2.0. Specifically, chai (an assertion library), install (likely used for package installation during development), and mocha (a testing framework) are added. This suggests a focus on improving the testing and development workflow of the library itself. For developers using the library, this translates to potentially increased stability and reliability in version 1.2.0 due to a more rigorous testing process. While the core functionality remains consistent between the two versions, the added development dependencies in 1.2.0 signal a commitment to maintainability and quality assurance that gives peace of mind when opting for the newer option. The provided repository URL, consistent across releases, enables easy access to the source code for potential contribution or inspection.
All the vulnerabilities related to the version 1.2.0 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
