Yargs-parser is a robust option parsing library utilized by the popular yargs command-line argument parser. Version 13.1.1 introduces a minor update compared to the previous stable release, 13.1.0. Both versions share the same core dependencies, camelcase and decamelize, essential for converting strings to and from camel case. The development dependencies also remain consistent, including tools for testing (chai, mocha), code coverage (nyc, coveralls), code style (standard), and version management (standard-version).
The primary difference lies in the dist metadata. Specifically, version 13.1.1 exhibits a slightly larger unpacked size of 56619 bytes compared to 13.1.0's 55362 bytes. While the file count remains at 6 for both versions, this size difference suggests potential minor code changes, bug fixes, or documentation updates in v13.1.1. Developers should consider upgrading to the newer version to benefit from any bug fixes and potential improvements. The release date also indicates a more recent update for version 13.1.1, being released on June 10, 2019, while version 13.1.0 was released on May 5, 2019. Both versions are licensed under ISC and are available on npm. The author of both versions is Ben Coe.
All the vulnerabilities related to the version 13.1.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
