NYC version 13.0.1 is a patch release building upon the foundation laid by version 13.0.0, primarily focusing on refinements and dependency updates rather than introducing significant new features. For developers, the most notable changes lie in the updated dependency tree.
Specifically, test-exclude is bumped from version 4.2.2 to version 5.0.0, implying potential improvements in file exclusion logic during testing coverage. The find-cache-dir dependency sees a major version update from 1.0.0 to 2.0.0, suggesting enhancements in how NYC locates and utilizes cache directories for faster operation. istanbul-reports moves from version 1.5.0 to 2.0.0, providing newer reporting capabilities. Crucially, several istanbul-lib packages are updated: istanbul-lib-hook (2.0.0 to 2.0.1), istanbul-lib-report (2.0.0 to 2.0.1), istanbul-lib-coverage (2.0.0 to 2.0.1), istanbul-lib-instrument (2.2.0 to 2.3.2) and istanbul-lib-source-maps remains unchanged. These updates signify enhancements across the Istanbul code coverage ecosystem, impacting how code is instrumented, how coverage data is collected, and how reports are generated. Finally, find-up goes from version 2.1.0 to 3.0.0 and caching-transform from 1.0.1 to 2.0.0. Version 13.0.1 also increases the number of files in the distribution and unpacked size of the package, reflecting these internal upgrades. These iterated features make version 13.0.1 a recommended upgrade for developers seeking the latest improvements and stability enhancements within the NYC testing framework.
All the vulnerabilities related to the version 13.0.1 of the package
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
