Prettier version 0.14.1 is a minor release following 0.14.0 in the popular JavaScript code formatter. Both versions share the same core functionality, offering opinionated formatting for improved code consistency. Examining the package data reveals identical dependencies, including crucial tools like glob for file matching, babylon and flow-parser for JavaScript parsing , esutils for ECMAScript language utilities, and ast-types for working with Abstract Syntax Trees. Development dependencies, crucial for building and testing the package, also remain unchanged. These include jest for testing, and a suite of rollup plugins for bundling the code, suggesting a focus on stability and incremental improvements rather than major architectural changes between the releases.
The primary difference reflected in the data lies in the releaseDate. Version 0.14.1 was published shortly after 0.14.0 around 15 minutes later. This suggests that 0.14.1 patch addresses a bug fix, or some other small but essential change that prompted a quick release.. For developers, using either version provides the core Prettier formatting benefits. However, opting for 0.14.1 is advisable to incorporate any potential fixes or minor enhancements included in that immediate follow-up release, ensuring the most stable and up-to-date behavior for their code formatting workflow.
All the vulnerabilities related to the version 0.14.1 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
