Yargs version 12.0.1 is a minor patch release following closely on the heels of version 12.0.0, both iterations extending the functionality of this popular command-line argument parser for Node.js. While the core functionality remains consistent, version 12.0.1 incorporates key updates primarily focused on dependency upgrades. A notable change is the update of yargs-parser from version 10.0.0 to version 10.1.0. This likely addresses bug fixes and potentially introduces minor enhancements within the argument parsing logic. Similarly, find-up sees an upgrade from version 2.1.0 to version 3.0.0, and decamelize moves from version 1.1.1 to version 2.0.0. These updates within dependencies can bring performance improvements and more robust parsing capabilities.
For developers, the shift in dependencies indicates a continued commitment to stability and modernizing the underlying tooling, reducing potential security vulnerabilities that might reside in earlier releases of this open source package. The update to the core, internal yargs-parser may be very interesting for power users. The differences in unpackedSize do not appear significant enough to imply any major modification to the core yargs code. Both versions provide a declarative, pirate-themed approach to building command-line interfaces facilitating creation of easy to use tools and scripts.
All the vulnerabilities related to the version 12.0.1 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
