Inquirer.js is a powerful npm package designed to simplify the creation of interactive command-line interfaces. Versions 0.1.0 and 0.1.1 share the same core functionality, offering developers a streamlined way to build engaging CLI experiences. Both versions rely on dependencies like 'async', 'charm', and 'lodash' to manage asynchronous operations, terminal styling, and utility functions respectively. They also share the same development dependencies including chai, grunt, mocha, sinon, grunt-cli, proxyquire, grunt-release, grunt-simple-mocha and grunt-contrib-jshint . This indicates a consistent testing and build process.
The key difference lies in their release dates, with version 0.1.1 being published on May 21, 2013, just two days after version 0.1.0. While the specific changes between these minor versions are not explicitly detailed in the provided metadata, it is common for such incremental updates to include bug fixes, performance improvements, or minor feature enhancements. Users upgrading from 0.1.0 to 0.1.1 could likely expect a more stable and refined experience. Developers should consider updating to the latest stable version to benefit from these refinements and ensure compatibility with their projects. Both versions use the permissive MIT license, encouraging wide adoption and modification. The package is hosted on Github.
All the vulnerabilities related to the version 0.1.1 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.