Yargs version 12.0.0 and 11.1.1 represent notable iterations of this popular command-line argument parser, a crucial tool for Node.js developers seeking to build interactive and user-friendly CLIs. The core functionality remains consistent, providing a robust framework for defining arguments, parsing user input, and generating elegant help messages.
Key differences lie in the dependency updates, reflecting the ongoing evolution of the JavaScript ecosystem. Version 12.0.0 upgrades yargs-parser from 9.0.2 to ^10.0.0 and os-locale from ^3.1.0 to ^2.0.0. These upgrades likely incorporate performance improvements, bug fixes, and potentially new parsing features. y18n also has an update to ^3.2.1 || ^4.0.0. Developers should consult the changelogs of these dependencies for details on specific changes that might impact their code.
Furthermore, while both versions share many of the same development dependencies, such as chai, mocha, and standard, the specific versions of these tools differ. Notably, standard goes from ^8.6.0 to ^11.0.1 and nyc from ^11.2.1 to ^11.7.3. These upgrades suggest improvements in code linting, testing capabilities and code coverage reporting. Developers should ensure compatibility when upgrading between these Yargs versions, especially if they rely on specific behaviors of the underlying dependencies. The newer version was released earlier.
All the vulnerabilities related to the version 12.0.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
