Yargs, a lightweight option parsing library for Node.js applications, experienced a relatively minor update between versions 1.0.12 and 1.0.13. Both versions share the same core functionality, offering a simple way to process command-line arguments into an easily accessible argv hash, without the complexities of traditional optstrings. Developers leveraging Yargs for basic argument parsing will find the transition virtually seamless.
The dependent packages remain consistent: minimist at "~0.0.1" handles the underlying argument tokenization, while tap ("~0.4.0") and hashish ("~0.0.4") are used for development-related testing, implying these versions don't introduce changes impacting the core parsing logic. The license remains MIT/X11, ensuring broad compatibility.
The primary difference lies in the release date. Version 1.0.12 was released on December 13, 2013, while version 1.0.13 followed on February 5, 2014. This suggests that version 1.0.13 may include bug fixes, minor performance improvements, or alterations to documentation that, while not reflected in dependency changes or a major version bump, were deemed beneficial to the project therefore justifying a release.
Users running version 1.0.12 should consider upgrading to 1.0.13 to benefit from any potential improvements, however, anticipate no breaking changes or significant alterations to the API or functionality. If confident in current implementation, upgrading might not be immediately necessary, as the core parsing logic is expected to remain similar.
All the vulnerabilities related to the version 1.0.13 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
