Html-to-text is a valuable Node.js package designed for developers seeking a reliable solution to convert HTML content into clean, readable plain text. Versions 1.3.0 and 1.3.1 share a common foundation, both offering advanced HTML parsing capabilities. They depend on the same core libraries: 'htmlparser' for dissecting the HTML structure, 'underscore' and 'underscore.string' for utility functions, and 'optimist' for command-line argument parsing. The development dependencies, including 'chai', 'install', and 'mocha', used for testing, also remain consistent between the two versions. Consequently, the fundamental functionality related to HTML-to-text conversion remains unvaried.
Where the versions diverge is primarily in their release timeline. Version 1.3.0 was released on April 7th, 2015, while version 1.3.1 followed on June 15th, 2015. This suggests that the update from 1.3.0 to 1.3.1 likely encompasses bug fixes, minor enhancements, or dependency updates rather than groundbreaking new features. For developers considering using html-to-text, this implies that the core conversion logic is stable and well-tested. The MIT license provides flexibility in integrating the library into various projects. Reviewing the commit history between releases would provide more detail on specific changes.
All the vulnerabilities related to the version 1.3.1 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
