Yargs version 11.0.0 introduces subtle but significant improvements over its predecessor, version 10.1.2, primarily concerning its internal dependency management. The most notable change lies in the updated yargs-parser dependency, which jumps from version 8.1.0 to 9.0.2. This update likely includes bug fixes, performance enhancements, and potentially new features within the argument parsing logic itself. For developers, this translates to a more robust and reliable argument parsing experience, especially when dealing with complex command-line interfaces. While the core API of Yargs remains consistent, upgrading ensures access to the latest refinements in argument parsing technology.
Both versions share an identical set of core dependencies like y18n, cliui, and find-up, indicating a continued commitment to stability in these foundational components. The devDependencies also remain unchanged, suggesting that the development and testing processes have not undergone significant alterations between these minor releases.
The key takeaway for developers considering an upgrade is the improved yargs-parser. If you've encountered any quirky behavior or performance bottlenecks in argument parsing with version 10.1.2, upgrading to version 11.0.0 is highly recommended. Even if you haven't experienced any issues, staying up-to-date with the latest minor versions is generally a good practice to benefit from ongoing improvements and bug fixes. The release date difference shows that the newer version incorporates the latest improvements. Overall, v11.0.0 represents a refined and subtly enhanced version of the well-established Yargs library.
All the vulnerabilities related to the version 11.0.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
