Vue Template Compiler version 2.6.2 is a minor update to the 2.6.x branch, succeeding version 2.6.1. Both versions serve as template compilers for projects utilizing Vue 2.0, a framework favored by developers aiming for performant and reactive web interfaces. At their core, they handle the crucial task of transforming Vue templates into render functions understood by the browser. Both the releases depend on the same core dependencies: he for HTML entity encoding/decoding and de-indent for code indentation management. They share the same development dependency on the parent Vue project, are under the MIT license, and are maintained by Evan You. A notable difference lies in their "unpackedSize," with version 2.6.2 being slightly larger at 408680 bytes compared to 2.6.1's 408288 bytes. This size difference, although small, suggests potential minor adjustments, bug fixes, or performance enhancements within the compilation process. More importantly, version 2.6.2 was released on February 5th, 2019, slightly after 2.6.1 version that was released on February 4th, 2019, signaling a rapid followup, maybe as a result of a bugfix found shortly after the previous release. Developers should prioritize using the newer 2.6.2 version to take advantage of the latest improvements and bug fixes, ensuring optimal template compilation and overall application stability.
All the vulnerabilities related to the version 2.6.2 of the package
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.
