Yargs-parser, a widely adopted option parsing library favored by the yargs package, released version 11.1.1 as a minor update following closely after version 11.1.0. Both versions share identical core dependencies: camelcase for converting strings to camel case and decamelize for the reverse operation. Similarly, their development dependencies, including nyc for code coverage, chai for assertions, mocha for testing, standard for code style, coveralls for coverage reporting and standard-version for versioning, remain consistent. The author and licensing information also remain unchanged between the two releases.
However, a key distinction lies in the release date and unpacked size. Version 11.1.1 was released on November 19, 2018, a mere nine days after its predecessor, which was released on November 10, 2018. The file count packaged in the distribution tarball in both versions remains the same. But, the unpacked size of version 11.1.1 is slightly larger at 52233 bytes compared to 51709 bytes in the previous 11.1.0 release, indicating that this new release contains some fixes and/or minor improvements. The update, though incremental, suggests ongoing maintenance and refinement of the library. If you're using yargs-parser, upgrading to 11.1.1 ensures you benefit from these enhancements, which could address potential minor issues or edge cases encountered in the previous version.
All the vulnerabilities related to the version 11.1.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
