The npm package xml2js provides a straightforward way to convert XML documents into JavaScript objects, simplifying XML data manipulation in Node.js environments. Version 0.2.6, released on February 28, 2013, builds upon the functionality of its predecessor, version 0.2.5, released just a day prior on February 27, 2013. Both versions share the same core functionality and dependency on sax (version 0.4.2) for XML parsing. Where they differ is in their developer dependencies. Version 0.2.6 specifies a newer minimum version of coffee-script (>= 1.5.0) compared to version 0.2.5 (>= 1.0.1). This seemingly minor adjustment suggests potential updates or compatibility enhancements with newer versions of CoffeeScript, a language that compiles to JavaScript. For developers using xml2js with CoffeeScript in their projects, version 0.2.6 might offer improved integration or access to newer CoffeeScript features. The library itself remains a valuable tool for developers needing to work with XML data, offering easy javascript objects conversion. While the core parsing logic remains consistent between the versions, the updated coffee-script dependency in version 0.2.6 could be a key consideration.
All the vulnerabilities related to the version 0.2.6 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
