Xml2js is a popular Node.js library used for converting XML documents into JavaScript objects, making it easier to work with XML data in JavaScript environments. Version 0.4.22 is a minor update from version 0.4.21, but introduce key changes that are important for developers.
A notable difference is the change in dependencies. Version 0.4.22 introduces util.promisify as a dependency with a version constraint of ~1.0.0. This likely reflects an update to better support asynchronous operations, potentially allowing to streamline the use of promises with the library. In contrast, version 0.4.21 relies on a different version constraint for xmlbuilder, using ~13.0.0 whilst version 0.4.22 is using ~11.0.0. This change in xmlbuilder version between the two xml2js versions may introduce different features or changes in behavior, which one should check carefully.
Both versions share the same core functionality, description, license, repository information, author details, and development dependencies, indicating a focus on maintaining existing features and developer experience. The file count of 9 is the same between versions, but the unpacked size is a little bigger in version 0.4.22 which is 43282 against 43235 of the previous version, probably due to the new dependency, and may slightly impact its resource usage. The release dates indicate that version 0.4.22 was release the day after version 0.4.21.
All the vulnerabilities related to the version 0.4.22 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
