Node-notifier version 6.0.0 marks a notable upgrade from the preceding stable release, version 5.4.5, bringing several changes relevant to developers. The core functionality of delivering native desktop notifications across macOS, Windows, and Linux remains consistent, but the underlying dependencies and development tooling have been significantly updated.
One key difference lies in the dependency updates. Version 6.0.0 integrates newer versions of is-wsl, bumping it from 1.1.0 to ^2.1.1, and more importantly semver moves from 5.5.0 to ^6.3.0. These updates likely include bug fixes, performance enhancements, and potentially new features within those respective packages, ensuring better compatibility and stability. For developers relying on semantic versioning for dependency management, this is an important upgrade.
Furthermore, the development dependencies see a substantial overhaul. ESLint and its related plugins (eslint-config-semistandard, eslint-config-standard, eslint-plugin-import, eslint-plugin-node, eslint-plugin-promise, eslint-plugin-standard) are all bumped to newer major versions. This signifies a shift to more recent linting rules and coding standards, promoting code quality and consistency. Similarly, testing moves to Jest ^24.9.0 from ^23.2.0 and lint-staged moves from ^8.1.0 to ^9.3.0.
The unpacked size of version 6.0.0 being significantly larger than 5.4.5 suggests the upgrade brings a significant amount of changes. The release date is notably different: version 6.0.0 was released significantly earlier in 2019 while 5.4.5 in 2021.
All the vulnerabilities related to the version 6.0.0 of the package
OS Command Injection in node-notifier
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
