NYC version 13.3.0 represents a minor update to the popular Istanbul command-line interface, a crucial tool for JavaScript developers focused on code coverage. Comparing it to the previous stable version, 13.2.0, reveals subtle but potentially important changes. While the core description remains the same, highlighting NYC's role as the command-line interface for Istanbul, several dependency updates warrant attention.
Specifically, istanbul-reports sees an upgrade from version 2.1.0 to 2.1.1, while istanbul-lib-instrument moves from version 3.0.1 to 3.1.0. These updates likely incorporate bug fixes, performance improvements, or new features within the reporting and instrumentation aspects of code coverage. Developers leveraging NYC should be aware of these changes to ensure compatibility and to take advantage of any enhancements affecting their reports generation and test execution. Developers might want to check specifically the changelogs of istanbul-reports and istanbul-lib-instrument packages to know exactly the changes. The increase in both file count within the distributed tarball (from 2199 to 2282) and the unpacked size (from 10370290 bytes to 10518257 bytes) indicates a possible increase in features or assets included within the package, that can be interesting for developers that want to use the library and squeeze it to its limits. The release date of version 13.3.0, February 14, 2019, positions it as a relatively recent iteration, benefiting from accumulated improvements and refinements.
All the vulnerabilities related to the version 13.3.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
