Yargs-parser is a popular npm package designed as a robust option parser, widely adopted by the Yargs command-line argument parser and other projects. Version 11.0.0 represents a notable update from the preceding stable version, 10.1.0, offering developers enhanced functionalities and updated dependencies.
One key difference lies in the dependencies. Version 11.0.0 introduces decamelize as a dependency, at version ^1.2.0. Furthermore, it updates camelcase to version ^5.0.0, a jump from the ^4.1.0 version used in 10.1.0, likely incorporating bug fixes and improvements in handling camel-cased strings. Also, the newer version uses more recent releases of the development dependencies such as nyc, chai, mocha, standard, coveralls and standard-version, implying improvements in the testing, linting, and release processes.
Beyond dependency updates, version 11.0.0 is slightly larger, as reflected in the unpacked size (50922 bytes versus 48440 bytes in 10.1.0), suggesting the addition of new features or code optimizations. Date of release for the new version in comparison with the older one is also something important to consider. Developers considering using yargs-parser should carefully evaluate these changes. Updated dependencies often bring performance improvements and security patches, so this new version provides the last updates for that package, reason why it may be a preferable choice in new projects.
All the vulnerabilities related to the version 11.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
