Yargs version 10.1.1 represents a minor update to the popular command-line argument parsing library, building upon the foundation laid by version 10.1.0. Both versions share the same core set of dependencies, including y18n for internationalization, cliui for building command-line user interfaces, and yargs-parser for parsing the actual arguments. Developers relying on these core functionalities will find the behavior consistent between the two versions.
The primary difference lies in the development dependencies. While most remain identical, chai, a popular assertion library used for testing, has been upgraded from version 3.4.1 to version 4.1.2 in the newer release. This suggests an improvement or enhancement in the testing suite of yargs, potentially leading to more robust and reliable code.
For developers actively contributing to yargs or those deeply invested in its internal workings, the updated chai version is noteworthy. However, for the average user simply employing yargs to parse command-line arguments in their applications, the difference between 10.1.0 and 10.1.1 is subtle. Both offer a mature and feature-rich solution for creating compelling command-line interfaces. The update likely addresses internal improvements and testing enhancements rather than introducing new features or breaking changes. The bumped version of chai hints towards improvements in testing and code quality. Choose the version that best aligns with your project's dependency management strategy and testing requirements.
All the vulnerabilities related to the version 10.1.1 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
