Html-to-text is a Node.js package designed for converting HTML content into readable plain text, a crucial utility for tasks like email processing, generating previews, and extracting information from web pages. Comparing version 1.4.0 with the prior stable release, 1.3.2, reveals subtle but potentially important changes for developers. The core dependencies, including htmlparser, underscore, underscore.string, and optimist, remain consistent across both versions, indicating a stable underlying architecture for parsing and manipulating HTML. Similarly, the development dependencies for testing (Chai and Mocha) and installation remain untouched.
The key difference lies in the releaseDate. Version 1.4.0 was published on November 9, 2015, while version 1.3.2 was released on September 23, 2015. This two-month gap suggests that 1.4.0 incorporates bug fixes, performance improvements, or minor feature additions implemented since the earlier release. While the specific nature of these changes isn't explicitly detailed in the provided metadata, upgrading to 1.4.0 is generally advisable to benefit from the latest refinements and ensure optimal performance. Both versions share the same MIT license and repository, highlighting the project's commitment to open-source principles. Developers can easily integrate this library into their projects to handle HTML-to-text conversion needs.
All the vulnerabilities related to the version 1.4.0 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
