Yargs-parser is a lightweight yet powerful option parser used extensively by the popular yargs command-line argument parser. Comparing versions 11.0.0 and 11.1.0 reveals subtle but important differences for developers. Both versions share the same core dependencies: camelcase and decamelize, crucial for handling argument names. Development dependencies also remain identical, including tools for testing (chai, mocha, nyc), code style (standard), and versioning (standard-version, coveralls). This indicates a focus on maintaining existing code quality and development workflows.
The key distinctions lie in the release specifics. Version 11.1.0, released on November 10, 2018, has an unpacked size of 51709 bytes, slightly larger than version 11.0.0 (50922 bytes), released on October 6, 2018. The newer version also has a more recent release date representing likely bug fixes, performance improvements, or minor feature additions. While the file count remains the same, the increased unpacked size suggests modifications to the codebase, potentially affecting parsing behavior or internal mechanisms. Developers should review the changelog or commit history between these versions to understand the precise nature of these changes impacting their software. Upgrading is recommended to benefit from the latest enhancements and fixes, ensuring optimal performance and stability in command-line argument parsing.
All the vulnerabilities related to the version 11.1.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
