xml2js is a popular npm package that simplifies working with XML data in JavaScript environments by converting it into easily manageable JavaScript objects. Comparing versions 0.4.23 and 0.4.22, developers will notice subtle but potentially impactful changes in the dependencies included.
Version 0.4.22 includes "util.promisify" as a dependency, while it's absent in 0.4.23. The removal of util.promisify in the newer version suggests a potential shift in how asynchronous operations are handled within the library. Developers upgrading should investigate if this change affects their existing codebase, especially if relying on promises for XML processing. It could imply either a native implementation of promise functionality or a reliance on a different promise library indirectly.
Both versions share common dependencies such as "sax" for parsing XML and "xmlbuilder" for constructing XML documents which are essential for the core functionality of xml2js. The developer dependencies, including tools like nyc for code coverage and zap for testing, remain consistent between the two versions indicating a stable development and testing environment.
The "dist" section reveals minor differences in "unpackedSize" hinting at internal code adjustments or optimizations between the releases, a difference of less than 200 bytes. Finally, the "releaseDate" confirms that version 0.4.23 was released after 0.4.22, making it the newer version. Developers should always evaluate the changelog of a library when upgrading to understand the full scope of changes and their impact.
All the vulnerabilities related to the version 0.4.23 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
