Package-json-validator has a new version, 0.6.7, released right after version 0.6.6, both on October 15, 2024. These versions provide tools for validating package.json files, crucial for ensuring the integrity and correctness of Node.js projects. Developers relying on this validator will find both packages equipped with the same core dependencies, including "optimist" for command-line argument parsing. The developer tooling, specified in devDependencies, remains consistent between the versions, suggesting a focus on maintaining and refining existing functionalities rather than introducing significant new features. This tooling incorporates a robust suite of linters, formatters, and release management tools such as "eslint," "prettier," "release-it," and "@release-it/conventional-changelog," ensuring code quality and streamlined releases. The consistent use of these tools indicates a commitment to established development practices.
The key difference is the file count "dist" and "unpackedSize" that increased in the newer version, this indicates a small change to the underlying library files. For those directly downloading the tarball, the newer version has one extra file.
For developers, the package offers strong assurances about their package.json files adhering to defined standards, especially significant during build processes where faulty package.json files can cause errors. Because no devDependencies were changed between version, the upgrade will not impact the local developer environment.
All the vulnerabilities related to the version 0.6.7 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
