Html-to-text is a Node.js package designed for converting HTML content into plain text, proving useful for various applications such as email processing, content extraction, and simplifying web content. Version 1.6.1 builds upon the solid foundation of version 1.6.0, offering developers what appears to be a refined or bug-fixed experience. Both versions share the same core dependencies, relying on packages like htmlparser for HTML parsing, underscore and underscore.string for utility functions, and optimist for command-line argument parsing, suggesting a stable and consistent architecture. Similarly, the development dependencies, including chai for assertion testing, install for package installation during development, and mocha for test execution, remain identical, ensuring a similar testing and development environment.
The MIT license continues to apply, promoting open-source contribution and usage. Both versions are authored by Malte Legenhausen and hosted on GitHub, showcasing continued maintenance and availability. The key distinction lies in the release dates: version 1.6.1 was released on February 19, 2016, subsequent to the January 22, 2016 release of version 1.6.0. While the specific changes are not detailed in the provided data, developers upgrading to 1.6.1 can anticipate subtle improvements or bug fixes implemented. Considering the short time difference, the changes are expected to be minor, possibly addressing edge cases or performance tweaks without introducing breaking changes. Developers should consult the package's changelog or commit history on GitHub for a comprehensive understanding of the specific modifications.
All the vulnerabilities related to the version 1.6.1 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
