Prettier 0.21.0 is a minor update to the popular opinionated JavaScript formatter, building upon version 0.20.0. Both versions share the core functionality of automatically formatting code to adhere to a consistent style, reducing debates about formatting in development teams. Developers can expect code cleaned up automatically according to Prettier's established rules.
Looking at the dependencies, the core runtime dependencies remain unchanged between 0.20.0 and 0.21.0. This suggests the core formatting logic and supported JavaScript/Flow features were largely stable between the two releases. Meaning, no new breaking changes or new language features supported in 0.21.0.
Similarly, the development dependencies, crucial for building and testing the Prettier package itself, are identical between versions. This indicates no significant shifts in the development workflow or testing methodologies utilized by the Prettier team. Developers contributing to Prettier's development would find a consistent environment across both versions.
The only real difference is the release date, 0.21.0 was released on March 3, 2017 a few days after the release of version 0.20.0 on February 28, 2017. This suggests that version 0.21.0 likely contains minor bug fixes or small improvements identified shortly after version 0.20.0's release. Upgrading from 0.20.0 to 0.21.0 is likely a safe and recommended move to benefit from these potential improvements, without anticipating major changes.
All the vulnerabilities related to the version 0.21.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
