The xml2js package, a simple XML to JavaScript object converter, saw a minor version bump from 0.1.9 to 0.1.10. Both versions share identical core functionality, library dependencies, development dependencies, and repository information. Both versions depend on the 'sax' package (version >=0.1.1) for parsing XML and utilize 'zap' (>=0.2.3) and 'coffee-script' (>=1.0.1) for development-related tasks. The author and repository details also remain consistent, indicating a focus on maintaining existing functionality and codebase stability.
The primary difference lies in the release date. Version 0.1.9 was released on June 23, 2011, while version 0.1.10 followed on August 31, 2011. This suggests that the update in version 0.1.10 likely includes bug fixes, minor improvements, or dependency updates. Developers using xml2js will find these versions very similar in terms of API and use cases. The decision to upgrade from 0.1.9 to 0.1.10 should be based on the need for potentially resolved issues, improved stability, or alignment with the latest dependencies. For new projects, version 0.1.10 is recommended due to its recency. If considering upgrading, refer to the project's commit history on GitHub for detailed changelogs indicating the specific modifications made between the two versions.
All the vulnerabilities related to the version 0.1.10 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
