Twig.js is a JavaScript templating engine that brings the popular Twig templating language, known from the PHP world, to the browser and Node.js environments. Versions 0.9.4 and 0.9.5 share the same core dependencies, including minimatch for flexible file matching, phpjs which provides PHP functions within JavaScript, and walk for traversing directory trees. Both also utilize the same suite of developer tools for testing and building: chai and should for assertions, mocha for test running, sinon and sinon-chai for mocking and spying, tokenizer and webpack for code transformation and bundling and exports-loader. These tools ensure code quality and efficient builds, crucial for developers seeking stability and performance.
The key difference lies in the release date. Version 0.9.5 was released on May 14, 2016, a single day after version 0.9.4 and contains bug fixes and minor improvements. For developers already using Twig.js, upgrading from 0.9.4 to 0.9.5 is recommended to benefit from the latest fixes and potential performance enhancements. Given the very small gap between releases, the changes are likely small. Developers will find that the core functionality remains consistent, ensuring minimal disruption while potentially resolving any minor issues encountered in the prior version. The consistent architecture and dependency structure across versions maintain the familiar development environment.
All the vulnerabilities related to the version 0.9.5 of the package
Prototype Pollution in phpjs
All versions of phpjs up to and including 1.3.2 are vulnerable to Prototype Pollution via parse_str. phpjs is no longer maintained and users are advised to use Locutus as a replacement (https://github.com/locutusjs/locutus)
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.
