Vue Template Compiler version 2.7.0 introduces adjustments aimed at enhancing Vue 2.0 template compilation. One key difference compared to version 2.6.14 lies in its dependencies. Version 2.7.0 updates the "he" dependency to version "^1.2.0", whereas the previous version utilized "^1.1.0". The "he" library is crucial for HTML entity encoding and decoding, suggesting potential improvements or bug fixes related to handling special characters within Vue templates. While both versions share "de-indent" for code formatting, this update to "he" might resolve encoding-related issues developers encountered.
Another notable change is the significantly larger unpacked size of version 2.7.0, weighing in at 591184 bytes compared to 415894 bytes in version 2.6.14. This size increase could indicate added features, more comprehensive test suites, or deeper internal refinements to the compiler's logic. Developers should consider this size difference, especially in resource-constrained environments. Finally, the release date also marks a significant gap, with version 2.7.0 released over a year after 2.6.14, potentially accumulating numerous bug fixes and performance enhancements over that period. While the core function remains the same, version 2.7.0 shows some incremental development of the tool.
All the vulnerabilities related to the version 2.7.0 of the package
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.
