The npm package html-to-text provides a powerful solution for developers needing to convert HTML content into plain, readable text. Comparing versions 1.4.0 and 1.5.0 reveals subtle differences that might impact usage. Both versions share identical core dependencies: htmlparser, underscore, underscore.string, and optimist, ensuring consistent parsing and string manipulation capabilities. This means the fundamental conversion logic remains the same. Similarly, the development dependencies for testing (chai, install, mocha) are consistent, suggesting a stable testing environment across both versions. The licensing (MIT) and repository details also match, guaranteeing the same open-source access and origin.
The key difference lies in the release date. Version 1.5.0 was released on November 25, 2015, while version 1.4.0 was released on November 9, 2015, indicating a period of roughly two weeks between releases. This suggests that version 1.5.0 likely includes bug fixes, minor enhancements, or performance improvements implemented since version 1.4.0. While the specific nature of these alterations isn't explicitly detailed in the provided metadata, developers using html-to-text should opt for version 1.5.0 to leverage the latest refinements. The functionality of html-to-text remains consistent, providing reliable HTML-to-text conversion for various applications, from email processing and content extraction to generating previews and simplifying web content. The package allows developers to strip away HTML formatting while preserving the essential information.
All the vulnerabilities related to the version 1.5.0 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
