Yargs, a popular and actively maintained command-line argument parsing library for Node.js, offers developers a straightforward way to build interactive command-line tools. Version 10.1.2 arrived shortly after 10.1.1, approximately a week later, indicating quick fixes or minor enhancements were addressed. Examining the dependencies, both versions rely on the same core set of libraries, including y18n for internationalization, cliui for building command-line user interfaces, and yargs-parser for processing arguments. Similarly, the development dependencies, crucial for testing, linting, and building the package, remain consistent between the two versions, encompassing tools like mocha for testing, standard for code style, and nyc for coverage.
The minimal changes between versions 10.1.1 and 10.1.2 suggests that the update very likely involves bug fixes or very minor improvements and no new functionality were introduced. For developers already using yargs 10.1.1, upgrading to 10.1.2 is advisable to benefit from any fixes. The consistency in dependencies implies a seamless transition without compatibility concerns. Both versions are licensed under the MIT license, offering considerable freedom in usage and modification, and can be easily installed with the command npm install yargs@10.1.2. The tarball URLs provided allow direct access to the package archives for those who require it.
All the vulnerabilities related to the version 10.1.2 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
