Ts-jest version 18.0.0 represents an incremental update over version 17.0.3, primarily focused on aligning with the Jest ecosystem. The key change lies in the peer dependency for Jest, which moves from "~17.0.0" to "~18.0.0", reflecting compatibility with the newer major version of the testing framework. This ensures that developers using Jest 18.x can seamlessly integrate ts-jest without version conflicts.
Furthermore, the "@types/lodash.assign", "@types/lodash.pickby", "@types/lodash.includes", "@types/lodash.partition" are added as devDependencies. This can improve the development experience, providing typescript definitions for lodash utilities, enabling better type checking and autocompletion. Another change on the devDependencies with the new version is that "@types/source-map-support":"latest" is specified. This helps during development with source map support, improving the debugging experience.
The dependencies remain consistent, indicating that the core functionality of ts-jest in transforming TypeScript code for Jest consumption remains stable. While the core functionality remains, version 18.0.0 indicates a commitment to keeping pace with the evolving Jest ecosystem. For developers using ts-jest, upgrading to 18.0.0 ensures compatibility with Jest 18.x and unlocks the potential benefits of both libraries' latest features and improvements.
All the vulnerabilities related to the version 18.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3