The npm package xml2js, a simple XML to JavaScript object converter, saw a minor version update from 0.1.2 to 0.1.3. Both versions share the same core functionality and author, targeting developers needing to parse XML data within JavaScript environments. The key difference lies in the introduction of a dependency on the sax package, with version ">=0.1.1" specified for version 0.1.3. This indicates that the updated version leverages the sax library for XML parsing, potentially impacting performance and parsing capabilities.
Developers considering xml2js should note this dependency. The inclusion of sax might offer improvements in handling large XML documents or provide more robust parsing compared to the previous version. However, it also introduces a new dependency that developers must manage. Before upgrading, developers should evaluate if the added benefits of sax outweigh the potential complexities of an additional dependency in their project. While the release dates are identical, the sax dependency is the differentiating factor, suggesting a refinement in how xml2js processes XML data in version 0.1.3. The library is useful for parsing XML data into a javascript object.
All the vulnerabilities related to the version 0.1.3 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
