Serialize-to-js version 1.2.2 brings several updates that enhance both the development experience and the underlying dependencies compared to version 1.2.1. A key update is the upgrade of its dependencies, most notably js-beautify which moves from ^1.7.5 to ^1.8.9. A similar upgrade can be noted in safer-eval which shifts from ^1.2.3 to ^1.3.0.
Developers will find the updated development dependencies useful, particularly the jump in eslint from ^4.18.2 to ^5.11.1. This, accompanied by upgrades to related eslint plugins like eslint-config-standard, eslint-plugin-import, eslint-plugin-node, eslint-plugin-promise, and eslint-plugin-standard, suggests a focus on code quality and adherence to modern JavaScript standards. The introduction of nyc for code coverage and the removal of istanbul indicate a shift towards more modern testing tools. The update to mocha from version ^5.0.1 to ^5.2.0 is also a beneficial change.
While the core functionality of serializing objects to JavaScript remains the same, these dependency updates can contribute to improved security (safer-eval) and maintainability. The change in unpacked size from 18813 to 18850 bytes suggests there were a few other under-the-hood file changes. The release date difference indicates around a 7 months gap between releases. For developers, upgrading to 1.2.2 offers a modernized toolchain, incorporating the latest linting and testing practices within the serialize-to-js workflow.
All the vulnerabilities related to the version 1.2.2 of the package
Denial of Service in serialize-to-js
Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely.
Upgrade to version 2.0.0 or later.
Cross-Site Scripting in serialize-to-js
Versions of serialize-to-js prior to 3.0.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 3.0.1 or later.
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system.
The package is not suited to receive arbitrary user input. Consider using an alternative package.
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.
The package is not meant to receive user input. Consider using an alternative package until a fix is made available.
