Yargs version 10.0.0 represents an incremental update from version 9.0.1, offering developers a refined command-line argument parsing experience. Both versions maintain the core functionality of providing a modern, pirate-themed alternative to optimist. A key distinction lies in the updated dependencies. Version 10.0.0 upgrades yargs-parser from version 7.0.0 to version 8.0.0 and replaces read-pkg-up with find-up which can potentially offer developers enhanced parsing capabilities and improvements in package finding.
Developers upgrading to version 10.0.0 should pay attention to the updated yargs-parser dependency, as it could introduce subtle changes in how arguments are parsed and handled. Reviewing the yargs-parser changelog to understand the specific modifications is recommended. The update also replaces camelcase with find-up in the dependencies. For developers deciding between the versions, the choice hinges on their need for the latest features and bug fixes within yargs-parser and related dependencies. Both versions maintain the same development dependencies, ensuring a consistent testing and development environment. As both are older version, developers might also want to evaluate newer alternatives to get latest functionalitites and fixes.
All the vulnerabilities related to the version 10.0.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
