Underscore.js, a popular JavaScript utility library offering a wealth of functional programming tools, saw a minor version bump from 1.8.1 to 1.8.2 in February 2015. Both versions share the same core description, serving as "JavaScript's functional programming helper library," emphasizing their role in simplifying common programming tasks through functional paradigms. Digging into the metadata reveals subtle but potentially important distinctions for developers.
The significant change lies within the devDependencies. Version 1.8.1 specifies concrete or version range dependencies for tools used in development, for example, "docco": "0.6.x". Version 1.8.2, however, updates the docco dependency to simply "*", which signifies the package can be of any version. This relaxation implies a deliberate choice, possibly to avoid build issues or to accommodate newer docco versions. This potentially suggests an update in the internal build processes, or perhaps a broader compatibility test suite, ensuring the library functions correctly even with the latest docco. Developers relying on Underscore within their own build pipelines should be aware of this, anticipating that it might affect their development environment. The impact, however, is low because docco is a development dependency and so does not impact the resulting package in any way. Both releases maintain identical licensing (MIT), source code repository, and author information, ensuring continuity regarding distribution and ownership.
All the vulnerabilities related to the version 1.8.2 of the package
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
