Yargs version 11.1.0 is a minor release following version 11.0.0 of this popular command-line argument parsing library for Node.js. Both versions share the same core dependencies, including y18n for internationalization, cliui for building command-line user interfaces, and yargs-parser for the actual argument parsing logic. Developers relying on these consistent dependencies can expect a smooth transition between the two versions.
Delving into the devDependencies, a notable difference emerges: cross-spawn. Version 11.0.0 relies on cross-spawn@5.0.1, while version 11.1.0 upgrades to cross-spawn@6.0.4. cross-spawn is used for cross-platform child process spawning, essential for testing and running scripts across different operating systems. The upgrade to version 6 in 11.1.0 likely introduces bug fixes, performance improvements, or support for newer Node.js versions and underlying platform features. While this is a development dependency, it can improve the development and CI processes a yargs user might implement, giving more stability and speed.
The dist object also reveals some internal changes, the fileCount and unpackedSize. Version 11.1.0 has a fileCount of 39 and an unpackedSize of 212842 bytes, suggesting slight additions or modifications to the codebase compared to version 11.0.0. Both versions have an MIT license. Developers should upgrade to version 11.1.0 to benefit from the underlying improvements.
All the vulnerabilities related to the version 11.1.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
