Node-notifier versions 5.4.5 and 5.4.4 are very similar, sharing the same core functionality for delivering cross-platform native notifications from Node.js applications across macOS, Windows, and Linux. Developers using this library can trigger notifications without needing to delve into platform-specific APIs. Both versions maintain the same set of core dependencies, including growly for Growl support, is-wsl for detecting Windows Subsystem for Linux, semver for semantic versioning, shellwords for shell command parsing, and which for locating executables. The development dependencies, used for testing and linting, are also identical, featuring tools like ESLint, Prettier, Jest, and Husky to ensure code quality and consistency.
However, examining the dist section reveals subtle differences: version 5.4.5 has a slightly smaller unpacked size (1368797 bytes) compared to version 5.4.4 (1368817 bytes), suggesting minor code optimizations or adjustments in the build process. More significantly, version 5.4.5 was released a little over an hour after version 5.4.4. This rapid succession signals a potential quick fix or immediate patch addressing a bug or improvement discovered shortly after the initial release. While the specific nature of this fix isn't explicitly stated, upgrading to version 5.4.5 is generally recommended to benefit from the latest refinements, especially if encountering any issues with 5.4.4. Developers should always prioritize utilizing the newest available version within a major/minor release to leverage the latest improvements.
All the vulnerabilities related to the version 5.4.5 of the package
OS Command Injection in node-notifier
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
