Underscore.js, a utility-belt library for JavaScript providing functional programming helpers, saw a significant update moving from version 1.4.4 to 1.5.0. Both versions share the same core mission: offering developers a suite of functions that complement JavaScript's built-in capabilities, simplifying common tasks like manipulating arrays, objects, and functions. They both operate under the MIT license, ensuring broad usability in various projects. The primary author for both versions is Jeremy Ashkenas.
A key difference lies in the development dependencies. Version 1.5.0 relies on PhantomJS version 1.9.0-1 for testing and development, a considerable jump from the 0.2.2 version used by 1.4.4. This suggests potential improvements or changes in the testing methodology or compatibility requirements for the newer version.
The release dates are also noticeably different, with version 1.5.0 being released on July 6, 2013, several months after the release of 1.4.4 on January 30, 2013. This time gap indicates accumulated changes, bug fixes, and potentially new features introduced over roughly six months.
For developers, this means version 1.5.0 likely incorporates improvements in performance, stability, or new utility functions that weren't present in the older version. While both versions provide functional programming paradigms and offer similar core functionalities, developers should consider upgrading to 1.5.0 for the latest enhancements and potential performance benefits. Consulting the changelog specific to Underscore.js version 1.5.0 is recommended for a detailed understanding of the specific changes and additions.
All the vulnerabilities related to the version 1.5.0 of the package
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
