Underscore.js version 1.8.0 introduces key updates and refined tooling compared to its predecessor, version 1.7.0. Both versions serve as fundamental JavaScript libraries, offering a wealth of utility functions for functional programming. However, the 1.8.0 release demonstrates a shift in the developer workflow and testing methodologies.
A notable change lies in the *devDependencies*. Version 1.8.0 leverages Karma, Karma-Qunit, and QUnit-CLI, signalling a move towards a more structured and automated testing environment. These tools facilitate cross-browser testing and streamlined unit testing, enhancing the library's reliability and stability across different platforms. The omission of PhantomJS in 1.8.0, previously present in 1.7.0, suggests a possible shift in testing strategy, potentially towards more modern headless browser solutions compatible with Karma. Developers benefit from this enhanced testing as it leads to a more robust and dependable library. The use of eslint aids in maintaining code quality and consistency.
Both versions retain core functionalities and the same license and author, ensuring continuity for existing users. The upgrade to 1.8.0 signifies an evolution in the development process, emphasizing robust automated testing with modern tools likely resulting in fewer bugs and better future support. Developers considering an upgrade should evaluate if the dependency changes and the implied shift in testing approach align with their own project needs.
All the vulnerabilities related to the version 1.8.0 of the package
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
