Yargs, the popular command-line argument parsing library, released version 10.0.3 shortly after 10.0.2, both on October 21, 2017. Examining the package data reveals minimal differences between these two versions, primarily distinguished by their release dates and the specific tarball URLs for downloading the packages. The core functionality remains consistent, with identical dependencies and development dependencies listed.
For developers, this suggests that upgrading from 10.0.2 to 10.0.3 is likely a low-risk proposition, potentially addressing minor bugs or packaging issues rather than introducing significant feature changes. Yargs simplifies the process of building interactive command-line tools by elegantly parsing arguments, providing help messages, and offering powerful options for customization.
The library's dependencies highlight its robust nature, including 'y18n' for internationalization, 'cliui' for creating formatted command-line output, and 'yargs-parser' for the actual argument parsing logic. Development dependencies show testing frameworks like 'mocha' and 'chai', as well as code quality tools like 'standard', demonstrating commitment to code maintainability and reliability. Because the core functionality and dependencies remain the same, developers familiar with 10.0.2 can expect a seamless transition to 10.0.3 within their projects. The MIT license grants developers flexibility in using and modifying Yargs for various purposes.
All the vulnerabilities related to the version 10.0.3 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
