Xml2js is a popular npm package for converting XML documents into JavaScript objects, making it easier to work with XML data in Node.js environments. Version 0.4.0, released on November 23, 2013, represents a notable evolution from the previous stable version, 0.2.8, released on June 15, 2013.
One key difference lies in the dependencies. While both versions rely on the sax parser (version 0.5.x), version 0.4.0 introduces a new dependency: xmlbuilder (version >=0.4.2). This addition suggests expanded capabilities in XML construction or manipulation within the library, something developers should consider if they need to not only parse, but also generate XML.
The developer tooling, specified in devDependencies, also shows a slight change. Version 0.4.0 includes diff (version >=1.0.7). The other tools "zap", "docco", and "coffee-script" are present in both releases. The inclusion of the diff library hints at improved testing or debugging workflows, possibly related to comparing XML structures or generated JavaScript objects.
For developers considering xml2js, the jump from 0.2.8 to 0.4.0 represents a significant update, mainly due to the new features enabled by the xmlbuilder dependency. Reviewing the library's documentation or release notes associated with version 0.4.0 is crucial to understand the extent of those capabilities. When choosing between the two versions, one should consider if the necessity to build and modify XML outweighs the added complexity of an additional dependency.
All the vulnerabilities related to the version 0.4.0 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
