Prettier version 1.3.0 represents a notable update from the previous stable release, version 1.2.2, bringing subtle yet important changes for JavaScript developers. Both versions share the core functionality of Prettier as an opinionated code formatter designed to enforce a consistent style across projects. Key dependencies such as glob, chalk, babylon, esutils, minimist, ast-types, get-stdin, jest-validate, and babel-code-frame remain consistent, ensuring core functionality isn't drastically altered.
The most significant change lies in the updated flow-parser dependency, moving from version 0.43.0 in 1.2.2 to 0.45.0 in 1.3.0. This update can introduce improved Flow type annotation parsing, potentially influencing how Prettier handles codebases heavily relying on Flow.
In the devDependencies, the updates are slightly more noticeable. The typescript version jumps from 2.2.1 to 2.3.2, suggesting enhancements in how Prettier handles TypeScript code formatting. Perhaps some features were updated to support new syntax introduced with the new version, or maybe some bugs were fixed. A notable difference is the typescript-eslint-parser, which is specified with a git link. This suggests that prettier developers rely on the git version of the library.
Ultimately, the transition from 1.2.2 to 1.3.0 is a considered upgrade, focusing on evolutionary improvements. Check the github page for a more detailed explanation of the changes.
All the vulnerabilities related to the version 1.3.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
