Js-yaml, a popular npm package for parsing and serializing YAML 1.2, saw a minor version bump from 3.4.4 to 3.4.5 in late November 2015. Both versions share the same core functionality, providing developers with a reliable tool for working with YAML data in JavaScript environments. The descriptions, dependencies (argparse ^1.0.2, esprima ^2.6.0), devDependencies (ansi, benchmark, eslint 0.24.1, eslint-plugin-nodeca ^1.0.3, istanbul, mocha), license (MIT), repository (GitHub), and author details remain consistent, indicating no fundamental changes to the project's structure or licensing.
The primary visible difference lies in the version number and the release date. Version 3.4.5 was released on November 23, 2015, a couple of days after version 3.4.4, released on November 21, 2015. While the specifics of the changes between these two versions aren't explicitly stated in the provided data, it's reasonable to infer that version 3.4.5 likely includes minor bug fixes, performance improvements, or small adjustments identified and addressed shortly after the release of 3.4.4. For developers, especially in production environments, upgrading to the latest patch version (3.4.5 in this case) is generally recommended to benefit from the latest fixes and ensure stability when using js-yaml for robust YAML parsing and serialization. The package is easily installable from the npm registry and offers a straightforward API for integrating YAML functionality.
All the vulnerabilities related to the version 3.4.5 of the package
Denial of Service in js-yaml
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Upgrade to version 3.13.0.
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
