NYC version 13.2.0 represents an incremental update to the popular Istanbul command-line tool for JavaScript code coverage, building upon the foundation established by version 13.1.0. Several dependency upgrades highlight the key changes. The yargs package, responsible for command-line argument parsing, sees a jump from version 11.1.0 to ^12.0.5, suggesting potential enhancements in argument handling or new command-line options. Similarly, yargs-parser advances from version 9.0.2 to ^11.1.1, possibly introducing improved parsing capabilities or bug fixes.
Significant updates are also present in istanbul-related libraries. istanbul-reports moves from version 2.0.1 to ^2.1.0, indicating new reporting formats or improvements to existing ones. istanbul-lib-hook jumps from 2.0.1 to ^2.0.3, istanbul-lib-report advances from 2.0.2 to ^2.0.4, istanbul-lib-coverage goes from 2.0.1 to ^2.0.3, istanbul-lib-instrument moves from 3.0.0 to ^3.0.1 and istanbul-lib-source-maps goes from 2.0.1 to ^3.0.2. On the other hand, test-exclude progresses from version 5.0.0 to ^5.1.0 and caching-transform also gets updated from version 2.0.0 to ^3.0.1 indicating bug fixes and new features. Furthermore, rimraf undergoes an update from version ^2.6.2 to ^2.6.3 fixing some bugs. Developers integrating NYC into their workflows benefit from staying current with these updates, as they often incorporate performance improvements, bug fixes, and new features that streamline the code coverage process for JavaScript projects. However, the debug-log dependency was removed in version 13.2.0.
All the vulnerabilities related to the version 13.2.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
