The xml2js package, a popular tool for converting XML data into JavaScript objects, saw a small but potentially impactful update between versions 0.4.20 and 0.4.21. Both versions maintain the core functionality of providing a simple and efficient way to parse XML into a more manageable JavaScript format, essential for developers working with XML-based APIs or data formats. The key difference lies in the dependency on the xmlbuilder package. Version 0.4.20 relies on xmlbuilder version ~10.0.0, while version 0.4.21 upgrades this dependency to ~13.0.0.
This seemingly minor change has implications for developers. The update to xmlbuilder potentially brings performance improvements, bug fixes, and new features introduced in the newer xmlbuilder version. Developers upgrading to xml2js 0.4.21 should review the xmlbuilder changelog to understand the specific changes and ensure compatibility and benefits within their existing projects. Both versions share the same development dependencies, license (MIT), repository, author, file count and unpacked size of the package. This ensures a consistent development experience and project structure. The release dates show a close proximity between the two versions, separated by roughly a day, suggesting a quick patch or update based on the newer xmlbuilder package being utilized, for developers this is an indication that the upgrade is a fix to the older package.
All the vulnerabilities related to the version 0.4.21 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
