Yargs-parser, a powerful option parser employed by the popular yargs library, saw a notable update moving from version 12.0.0 to 13.0.0. Both versions share core dependencies like camelcase and decamelize, crucial for argument parsing. Similarly, the development dependencies for testing and linting remain consistent: nyc, chai, mocha, standard, coveralls, and standard-version, ensuring code quality is consistently maintained. The license remains ISC and the repository url stays the same.
However, several subtle but potentially important differences exist. The unpacked size of version 13.0.0 is slightly larger at 53893 bytes compared to 53259 bytes in version 12.0.0, indicating potential additions or modifications to the underlying code. This could mean bug fixes, performance improvements, or new features. The release date also sets them apart, with version 13.0.0 being released on February 2nd, 2019, after January 29th, 2019, the date of version 12.0.0; new features or updates might be there. Developers should consult the changelog or release notes (if available) on the yargs-parser GitHub repository to ascertain the specifics of these changes. While seemingly small, these changes can significantly impact how the parser handles user input.
All the vulnerabilities related to the version 13.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
