Ts-jest version 23.10.1 is a minor patch release following version 23.10.0, both designed to seamlessly integrate TypeScript with the Jest testing framework. Both versions offer pre-processing capabilities and source map support, crucial for debugging TypeScript code within Jest. Looking at dependencies, both versions share identical dependencies, including json5, mkdirp, semver, bs-logger, make-error, buffer-from, yargs-parser, and fast-json-stable-stringify. The devDependencies are also identical, encompassing testing and development tools like jest, husky, eslint, tslint, js-yaml, fs-extra, prettier, and numerous @types packages to support TypeScript development. The peer dependency on jest remains consistent, requiring a version greater than or equal to 22 and less than 24, ensuring compatibility with a specific range of Jest versions and developers targeting that range.
The key difference between the two versions appears to be the releaseDate. Version 23.10.1 was released on September 20, 2018, while 23.10.0 was released on September 19, 2018. The unpackedSize is slightly different, with 23.10.1 being 197999 and 23.10.0 being 194648. That can mean that this release is a patch over the earlier version, so it could include bug fixes or minor improvements. Developers should probably upgrade to 23.10.1, as patch versions usually contain important fixes.
All the vulnerabilities related to the version 23.10.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
