NYC version 14.0.0 introduces several updates compared to the prior stable release, 13.3.0, offering developers enhanced functionality for code coverage analysis. Key improvements are seen in the dependencies, reflecting upgraded underlying tools. Version 14.0.0 updates yargs from 12.0.5 to 13.2.2 and yargs-parser from 11.1.1 to 13.0.0, potentially impacting command-line argument parsing behavior and requiring adjustments for users relying on specific argument structures. The test-exclude dependency sees an update from 5.1.0 to 5.2.2. Package installations become more streamlined with make-dir updated from 1.3.0 to 2.1.0. The update to istanbul-reports (2.1.1 to 2.2.2), istanbul-lib-hook (2.0.3 to 2.0.6), istanbul-lib-coverage (2.0.3 to 2.0.4), istanbul-lib-instrument (3.1.0 to 3.2.0), and istanbul-lib-source-maps (3.0.2 to 3.0.5) signals improvements and bug fixes for coverage reports, instrumentation, and source map handling – developers should benefit from more accurate and reliable insights into code coverage. Developers should also note the removal of arrify as a dependency in the newer version. Development dependencies showcase changes as well, with the removal of mocha and forking-tap and updates to tap and standard-version. The overall package size is drastically reduced in version 14.0.0, from 10.5MB to just 110KB unpacked, indicating potential optimizations or refactoring of bundled assets.
All the vulnerabilities related to the version 14.0.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
