Webpack-cli version 3.1.1 is a minor update to version 3.1.0, offering developers an enhanced command-line interface experience for managing webpack projects. Key improvements in 3.1.1 lie within dependency updates, bolstering stability and incorporating the latest features from underlying libraries. For instance, yargs is bumped from version 12.0.1 to 12.0.2, and "supports-color" goes from 5.4.0 to 5.5.0, potentially influencing argument parsing and terminal color support. Furthermore, enhanced-resolve upgrades from 4.0.0 to 4.1.0.
Notably, version 3.1.1 replaces "inquirer" with "global-modules-path," indicating a shift in how the CLI might be handling module resolution or user input—potentially streamlining processes. The update also introduces "v8-compile-cache".
Developers will also find that many of the devDependencies have been updated. These updates can affect the developer experience while contributing to the project however, these changes do not change a lot for developers that use the library.
Developers should evaluate whether the dependency updates and changes in module handling warrant the minor version upgrade, depending on their project's specific needs and compatibility requirements.
All the vulnerabilities related to the version 3.1.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
global-modules-path Command Injection vulnerability
Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.
