The npm package open offers a simple way to open a file or URI using the user's preferred application, streamlining functionalities for developers seeking to launch external resources directly from their Node.js applications. Examining versions 0.0.0 and 0.0.2 reveals key evolutions. The initial version, 0.0.0, laid the groundwork, defining the core function without listing explicit development dependencies. In contrast, version 0.0.2 introduces a crucial development dependency: Mocha, suggesting a commitment to testing and code quality. This implies a move towards more robust and reliable functionality for developers.
A noteworthy difference lies in the repository URL. Version 0.0.0 pointed to "git://github.com/fixedset/open.js.git," while version 0.0.2 shifted to "git://github.com/jjrdn/node-open.git," indicating a potential change in maintainership or project location, which developers might want to investigate if needing to contribute or report issues. Both versions share the same author, "J Jordan," but the slight difference in the email and name format ("J. Jordan" vs "J Jordan") is an intriguing minor detail.
Ultimately, the addition of Mocha suggests that version 0.0.2 provides a potentially more dependable and tested way to integrate the 'open' functionality into Node.js projects.
All the vulnerabilities related to the version 0.0.2 of the package
Command Injection in open
Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.