The xml2js package, a simple XML to JavaScript object converter, saw a version jump from 0.1.14 to 0.2.0 on September 5th, 2012. While both versions maintain the core functionality of parsing XML into JavaScript objects and share a dependency on the 'sax' package (version >=0.1.1), there are notable differences for developers to consider. The key distinction lies in the development dependencies. Version 0.2.0 utilizes "zap":">=0.2.4-2" to likely enhance testing and quality assurance compared to version 0.1.14 which uses "zap":">=0.2.3". This suggests improved stability and potentially fewer bugs in the newer version. Both use docco and coffee-script with similar versions.
Furthermore, the repository URL in version 0.1.14 uses the 'git://' protocol, while version 0.2.0 switches to 'https://', indicating a move towards more secure data transfer and better alignment with modern security practices. Although both versions are authored by Marek Kubica, the switch to HTTPS shows attention to updated best practices. Developers choosing between these versions should note the potential stability gains of the 0.2.0 release, alongside the newer security protocol for repository access, making it preferable for projects prioritizing reliability and secure dependencies.
All the vulnerabilities related to the version 0.2.0 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
