Yargs-parser, a robust option parsing library favored within the Yargs ecosystem, has seen a version update from 17.1.0 to 18.0.0. Both versions, under the ISC license and authored by Ben Coe, offer a reliable solution for handling command-line arguments. The core dependencies remain consistent, relying on camelcase and decamelize for string manipulation, indicating that the fundamental parsing logic isn't drastically altered. The developer tooling also holds steady, with c8, chai, mocha, standard, and coveralls facilitating testing, linting, and coverage reporting, essential for maintaining code quality.
The more recent version, 18.0.0, demonstrates a slight increase in unpackedSize from 67949 to 68857, suggesting minor additions or adjustments to the codebase. While the core functionalities are likely preserved, developers might find improvements in performance, bug fixes, or potentially new features. The key takeaway for those using yargs-parser should it's continued support and incremental improvements. Published just a little over 24 hours after the previous version, this release likely addresses immediate issues or incorporates enhancements discovered post-release of version 17.1.0. Developers should consult the changelog and release notes on the yargs-parser GitHub repository to ascertain the specifics of the upgrade and whether it addresses any existing issues they might be facing.
All the vulnerabilities related to the version 18.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
