Jsdoc-api version 5.0.1 offers notable improvements over its predecessor, version 4.0.3, primarily concerning its dependencies and build. A key distinction lies in the updated jsdoc dependency, moving from "~3.5.5" to "^3.6.1", potentially introducing new features, bug fixes, and performance enhancements from the jsdoc project itself. This upgrade ensures compatibility with a more recent jsdoc release, which is essential for developers leveraging its documentation generation capabilities. Array-back dependency also gets an upgrade from "^2.0.0" to "^3.1.0" which provides a more robust javascript support. The updated version boasts a significantly smaller unpacked size (25879 vs 1073044) and fewer files in the distributed package (9 vs 51), indicating a leaner and more efficient build process which might improve installation speed and reduce disk space usage. The development dependencies have also been updated, with "coveralls" moving from "^3.0.0" to "^3.0.3" and "test-runner" moving from "~0.5.0" to "~0.5.1". These reflect refinements in testing and code coverage practices. These changes suggest a focus on optimization and modernization. Developers using jsdoc-api will benefit from a more streamlined package with updated dependencies, potentially leading to better performance and improved compatibility with the latest jsdoc features and JavaScript ecosystem.
All the vulnerabilities related to the version 5.0.1 of the package
TaffyDB can allow access to any data items in the DB
TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. Note: taffy and its successor package taffydb are not maintained.
