Html-to-text version 5.0.0 represents an evolution of the popular Node.js package for converting HTML to plain text, building upon the foundation laid by version 4.0.0. Several key updates were introduced to enhance functionality and developer experience.
One notable change involves dependency updates. Version 5.0.0 upgrades the "he" (HTML entities) dependency to "^1.2.0" from "^1.0.0" in version 4.0.0, potentially incorporating new entity decoding features and security enhancements. The "htmlparser2" dependency also sees an update, moving to "^3.10.1" from "^3.9.2", likely bringing improved HTML parsing capabilities and bug fixes. Lodash is also bumped to "^4.17.11" from "^4.17.4"
From a development perspective, the devDependencies have also shifted. Chai moves up to "^4.2.0" from "^4.0.1", and eslint is updated to "^5.15.3" from "^4.18.2", suggesting an emphasis on code quality and testing.
The distribution details reveal a slight increase in file count (23 vs. 22) and unpacked size (89329 bytes vs. 86922 bytes), indicating the addition of new features or assets. Finally release dates show that version 5.0.0 was released approximately a year after version 4.0.0.
These collective updates signify a commitment to staying current with dependencies, improving code quality, and potentially introducing new functionalities for developers seeking a robust HTML-to-text conversion solution. Developers should evaluate these changes based on their project's compatibility and specific requirements.
All the vulnerabilities related to the version 5.0.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
