The xml2js package, a straightforward XML to JavaScript object converter, saw a minor version bump from 0.1.11 to 0.1.12. Both versions share the same core functionality and dependencies, relying on the 'sax' parser (version >=0.1.1) and utilizing 'zap' (>=0.2.3) and 'coffee-script' (>=1.0.1) for development tasks. The origin, maintainer(Marek Kubica) and repository remain constant, ensuring consistent access for developers already familiar with the library.
The primary difference lies in the release date. Version 0.1.12 was published on November 26, 2011, while version 0.1.11 was released earlier on October 1, 2011. This suggests that version 0.1.12 likely includes bug fixes, performance improvements, or minor feature enhancements implemented in the intervening period.
For developers employing xml2js, upgrading to version 0.1.12 is advisable to benefit from these potential improvements. While the core functionality remains unchanged, the newer version provides the most up-to-date and refined experience. If you are incorporating xml2js in your project, especially new ones, ensure to fetch version 0.1.12. This will provide a solid, stable foundation for XML parsing needs within Node.js. The dist.tarball property leads directly to the package download location within the npm registry, making it easy for developers to access and integrate the library.
All the vulnerabilities related to the version 0.1.12 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
