The npm package html-to-text offers developers a robust solution for converting HTML content into plain text, preserving readability while stripping away formatting. Examining versions 1.6.1 and 1.6.2 reveals subtle changes within a well-established tool. Both versions, sharing the same core dependencies like htmlparser, underscore, underscore.string, and optimist, and development dependencies chai, install and mocha suggest a focus on stability and incremental improvements rather than radical overhauls. The MIT license across both versions assures developers of its open and permissive usage.
The key difference lies in the release dates: version 1.6.2 was published on February 19, 2016, at 15:12:12.341Z, approximately 7 hours after version 1.6.1, released on the same day at 08:24:51.732Z. This suggests that version 1.6.2 likely contains bug fixes or minor enhancements implemented shortly after the initial 1.6.1 release.
For developers, this means opting for version 1.6.2 is generally preferable as it likely incorporates the latest refinements. Both versions remain valuable for extracting clean, readable text from HTML, fitting seamlessly into workflows requiring text-based content derived from HTML sources with good SEO results.
All the vulnerabilities related to the version 1.6.2 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
