Yargs version 10.0.2 is a minor patch release following closely on the heels of version 10.0.1, both iterations of the popular command-line argument parsing library. At a glance, the core functionality and dependencies remain identical, ensuring a seamless transition for developers already using the 10.0.x series. The dependency tree, critical for understanding the building blocks of Yargs, remains unchanged; both versions rely on the same versions of modules like y18n, cliui, yargs-parser, and several others, suggesting stability in the underlying argument parsing logic. Similarly, the development dependencies, tools such as mocha for testing, standard for linting, and nyc for code coverage, are also consistent.
The primary difference lies in the release date, with version 10.0.2 being published approximately two days later than 10.0.1. While the exact nature of the patch is not explicitly stated, it likely addresses minor bugs, documentation improvements, or internal optimizations that didn't necessitate changes in dependencies. For developers, this suggests that upgrading to 10.0.2 is a low-risk proposition, providing access to the latest refinements and potentially improved stability. If you're already using 10.0.1, upgrading to 10.0.2 is recommended to ensure you are using the most up-to-date and potentially more stable release. The consistent dependency structure indicates that the core API and usage patterns remain the same, minimizing any potential disruption during the update process. Both versions continue under the MIT license, giving developers ample freedom in how they use and integrate the library into their projects.
All the vulnerabilities related to the version 10.0.2 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
