Js-yaml is a popular npm package providing robust YAML 1.2 parsing and serialization capabilities for JavaScript environments. Version 3.0.1 follows closely on the heels of version 3.0.0, indicating potentially minor bug fixes or small enhancements rather than significant feature additions. Both versions share the same core dependencies: *argparse* for argument parsing and *esprima* for ECMAScript parsing, suggesting a stable core functionality for handling YAML. Developers relying on these dependencies won't encounter any breaking changes introduced by dependency updates between these versions. Furthermore, the developer dependencies, indicated by *mocha* for testing, confirm a commitment to code quality.
The license field, specifying the MIT license and linking to its location on GitHub, remains consistent, offering developers reassurance about the open-source nature and usage rights of the library in both versions. The repository field and author fields are identical too, ensuring developers can find and track the library. The most apparent difference lies in their dist tarball URLs and releaseDate timestamps as one is newer than the other and includes a patch. The transition from version 3.0.0, released on December 16, 2013, to version 3.0.1, released just six days later on December 22, 2013, implies a quick response to address issues or improve stability. Developers should consider examining the changelog (if available) or commit history between these releases to understand the precise nature of the changes and determine if the update in version 3.0.1 is relevant to their specific use case.
All the vulnerabilities related to the version 3.0.1 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
