Yargs is a lightweight command-line argument parser for Node.js, designed to simplify the process of building interactive command-line tools. Examining versions 1.0.10 and 1.0.11 reveals only slight differences, primarily in their release dates: December 12th, 2013, for 1.0.10 and December 13th, 2013, for 1.0.11. Developers considering adopting yargs can expect a consistent feature set across these versions. Both rely on minimist for basic argument parsing and include tap and hashish as development dependencies, useful for testing and development workflows and released under the MIT/X11 license. Alex Ford, forked from James Halliday, maintains the library and users can access the source code repository to read the code.
For developers, yargs provides a straightforward way to define and handle command-line options. It allows you to define arguments and subcommands, parse user input, and provide helpful usage instructions. This is essential for creating user-friendly command-line interfaces (CLIs). The lack of substantial changes between these versions suggests a stable core. Developers can install this version using npm or yarn and by referencing the desired version.
All the vulnerabilities related to the version 1.0.11 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
