Prettier version 0.22.0 represents a minor update to the widely used JavaScript formatter, building upon the foundation laid by version 0.21.0. Both versions share the core functionality of automatically formatting code to adhere to a consistent style, eliminating style debates and improving code readability across projects. They bundle essential dependencies such as glob, chalk, babylon, esutils, minimist, ast-types, get-stdin, flow-parser, jest-validate, and babel-code-frame, ensuring consistent parsing and formatting capabilities. For development and testing, both rely on diff, jest, and rollup along with their respective rollup plugins.
The key change in version 0.22.0 lies in the introduction of typescript and typescript-eslint-parser as development dependencies. This addition signals a stronger focus on TypeScript support within Prettier. Developers working with TypeScript projects will find version 0.22.0 particularly beneficial as it likely incorporates improved parsing and formatting rules tailored for TypeScript syntax. While the core dependencies and basic tooling remain consistent, the enhanced TypeScript integration in 0.22.0 makes it a more compelling choice for projects leveraging TypeScript, promising a better formatting experience. The release date difference also indicates bug fixes or small non-breaking improvements.
All the vulnerabilities related to the version 0.22.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
