Underscore.js saw a few notable changes between version 1.10.2 and 1.11.0. While both versions maintain the core functionality as a JavaScript functional programming helper library under the MIT license, the differences primarily lie in the development dependencies and build process. Version 1.11.0 boasts an updated build pipeline, showcasing a shift from rollup@0.59.4 and uglify-js@3.3.21 to rollup@1.32.1 and terser@4.6.13 for minification. This update generally implies improvements in build performance, potentially better code optimization, and support for newer JavaScript features during the build process.
Also, the file count and unpacked size of the library significantly increased in the newer version. The file count went from 11 to 474, and unpacked size increased from 278034 to 611192.
For developers using Underscore.js, these dependency changes are mostly transparent. However, they suggest a more modern development approach. Developers contributing to Underscore.js, or those interested in its build process, will find value in these updates. The choice between versions depends on the developer's specific needs: if compatibility with older build tools is critical, version 1.10.2 might be preferable; otherwise, version 1.11.0 provides more up-to-date dependencies and potentially better performance in a modern Javascript environment. Both versions continue to be readily available through npm, offering a flexible and powerful utility belt for functional programming in JavaScript.
All the vulnerabilities related to the version 1.11.0 of the package
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
