Version 1.6.0 of the html-to-text npm package refines the robust functionality of its predecessor, version 1.5.1, in converting HTML content into readable plain text. Both versions share a common foundation, relying on dependencies like htmlparser, underscore, underscore.string, and optimist to handle HTML parsing, data manipulation, and option management respectively. The developer dependencies, including chai, install, and mocha, also remain constant, ensuring consistent testing and development environments. The core functionality and licensing (MIT) remain the same, indicating no fundamental shifts in how the library operates or its usage rights.
The key distinction lies in the release date and potentially subtle improvements or bug fixes introduced between the two versions. Version 1.6.0 was released on January 22, 2016, approximately a month after version 1.5.1 released on December 16, 2015. This suggests that the newer version likely incorporates refinements, addressing issues identified in the previous iteration or optimizing performance slightly. Developers considering using this library should opt for version 1.6.0 for the most up-to-date and potentially stable experience. While the changelog details aren't provided in this data, upgrading would likely provide any fixes and subtle improvements to the core parsing logic that any developer using this would benefit from. While the dependency requirements remained the same, any developer should always consider the latest version for best practices and security.
All the vulnerabilities related to the version 1.6.0 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
