Http-server version 0.11.0 presents a minor but notable upgrade over its predecessor, version 0.10.0, offering developers a slightly refined experience. Primarily, the shift lies within its dependencies. While the core functionality and overall ease of use remain consistent – still a zero-configuration, command-line HTTP server ideal for quick prototyping and static file serving – the underlying libraries have been tweaked. Most notably, ecstatic upgraded from version 2.0.0 to ^3.0.0. This upgrade likely brings performance improvements, bug fixes, and potentially new features related to handling static files, caching, and directory indexing within static sites. Developers should evaluate this upgrade with respect to handling of different static file types and the rendering engine. The common-style dependency in "devDependencies" allows styling and theming http-server UI elements, meaning it is mainly related to the internal structure of the library. The release date difference indicates almost nine months of development and refinement between the two versions, hinting at accumulated bug fixes and optimizations. For developers, upgrading to 0.11.0 offers a potentially more robust and efficient solution for serving static content, especially if they were facing issues or needed features present in the newer ecstatic version. While the core usage paradigm remains the same, a quick review of ecstatic's changelog is recommended to ensure compatibility and leverage any new capabilities.
All the vulnerabilities related to the version 0.11.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
Denial of Service in ecstatic
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
