Jacoco-parse is a lightweight npm package designed to convert JaCoCo coverage reports into a more easily digestible JSON format. Leveraging the output structure of lcov-parse, it provides a convenient way for developers to programmatically access and analyze code coverage data generated by JaCoCo, a popular Java code coverage tool. Both versions 2.0.0 and 2.0.1 share the same core functionality and dependencies, making upgrading straightforward. The mocha package is used for testing, ensuring the library's reliability, while xml2js handles the XML parsing of the JaCoCo reports. The package is MIT licensed, allowing for broad usage in both open-source and commercial projects.
The key difference between versions 2.0.0 and 2.0.1 lies primarily in under-the-hood refinements. Unpacked size grew slightly, from 340,507 bytes to 343,768 bytes. While visually identical, version 2.0.1, released on January 31, 2019, incorporates bug fixes and minor improvements, ensuring enhanced stability compared to version 2.0.0, released on September 18, 2018. Developers already using jacoco-parse should upgrade to version 2.0.1 to benefit from these improvements and ensure they are using the most robust version. For new users, version 2.0.1 is recommended. The library is maintained by Vokal and hosted on GitHub, making it easy to contribute to or report issues.
All the vulnerabilities related to the version 2.0.1 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
