Yargs-parser is a robust and versatile option parser designed for use with the popular yargs command-line argument parsing library, offering developers a simple way to build powerful CLIs in javascript projects. Comparing version 2.4.1 and 2.4.0, we see a subtle but important upgrade in dependency management. Version 2.4.1 updates the camelcase dependency from ^2.1.1 to ^3.0.0. This shift likely introduces improvements and bug fixes in how strings are converted to camelCase, potentially impacting how command-line arguments are processed and named within your application.
Furthermore, the newer version modifies its development dependencies by updating nyc, the Istanbul command-line interface, from version ^6.4.0 to ^7.0.0 as well as standard a javascript linter, from version ^6.0.8 to ^7.1.0, suggesting enhanced code coverage reporting and adherence to newer Javascript coding standards. While these changes primarily affect the development workflow and testing of yargs-parser itself, using version 2.4.1 helps ensure greater reliability of CLI applications.
Both versions maintain the same core dependencies, lodash.assign, licensing, and repository details. Developers choosing between these versions should prioritize 2.4.1 to benefit from the updated camelcase library and improvements in tooling such as nyc and standard, which ultimately promote better code quality and reliability of dependent packages.
All the vulnerabilities related to the version 2.4.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
