The xml2js package, a popular choice for converting XML documents into JavaScript objects, saw a notable update from version 0.4.5 to 0.4.6. Both versions share the same core description: a straightforward XML to JavaScript converter, making it easier for developers to work with XML data within Node.js environments. The key differences lie in their dependencies and release dates. Version 0.4.6, released on March 15, 2015, references xmlbuilder version ">=2.4.6" while the older 0.4.5, released on February 10, 2015, depends on xmlbuilder version ">=1.0.0". The sax dependency remains consistent at "0.6.x" across both versions.
Regarding developer tooling, both rely on packages like zap, diff, docco, and coffee-script for testing, documentation, and development workflows. However, the minimum required version of coffee-script is bumped from 1.7.1 to 1.9.0 in the newer version. While these development dependencies might not directly impact end-users, they suggest potential improvements or refactoring done with newer tooling capabilities. Primarily, users should upgrade to version 0.4.6 to ensure compatibility with the newest xmlbuilder features and potential bug fixes, especially if they are already using recent versions of xmlbuilder in their projects. The releaseDate also provides a simple way to determine which version is more recent.
All the vulnerabilities related to the version 0.4.6 of the package
xml2js is vulnerable to prototype pollution
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
