Yargs-parser version 12.0.0 represents an incremental update over version 11.1.1 of this widely-used option parsing library, favored for its robustness and integration with the popular yargs command-line argument parser. Both versions share a common foundation, including dependencies on camelcase and decamelize for string manipulation, and a consistent suite of development tools like nyc for code coverage, chai and mocha for testing, standard for code style enforcement, coveralls for coverage reporting, and standard-version for version management.
The core functionality and developer experience related to option parsing within yargs-parser remain largely consistent between versions. Developers familiar with version 11.1.1 will find a smooth transition to 12.0.0. The key difference lies in the internal improvements and refinements. Evidenced from the dist section unpacked size moves from 52233 bytes to 53259, suggesting the newer release contains more features, bugfixes, or performance enhancements that were deemed valuable. From a developer perspective, consider upgrading to version 12.0.0 to leverage these refinements. The update ultimately provides developers with a more polished and efficient tool for building command-line interfaces. The release date of version 12.0.0 is January 29, 2019, while version 11.1.1 was released on November 19, 2018.
All the vulnerabilities related to the version 12.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
