Version 3.3.3 of the string npm package represents a minor update over the previous stable version, 3.3.2. Both versions provide enhanced string manipulation capabilities beyond standard JavaScript, offering functionalities like HTML escaping/unescaping, HTML entity decoding, and tag stripping, making them useful for sanitizing user input and processing web content. The core functionality and API remain consistent between the two, ensuring a smooth transition for existing users. Looking at the package.json, the listed dependencies and devDependencies are identical, indicating no changes in the tools used for building, testing or developing the library itself.
The primary difference lies in the releaseDate: version 3.3.3 was published just a few hours after 3.3.2, suggesting that 3.3.3 fixes a minor bug or contains some other small improvement uncovered shortly after releasing 3.3.2. While the specific nature of fixes or improvements isn't detailed, upgrading to 3.3.3 is generally recommended to benefit from the latest refinements and potential bug fixes. Developers using string.js should consider this update a routine maintenance upgrade to ensure they are using the most stable and up-to-date version of the library. The library remains MIT licensed and hosted on GitHub.
All the vulnerabilities related to the version 3.3.3 of the package
Regular Expression Denial of Service in string package
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
There is currently no direct patch for this vulnerability.
Currently, the best solution is to avoid passing user input to the underscore and unescapeHTML methods.
Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.
