Yargs, a popular command-line argument parser known for its pirate theme and as a successor to optimist, released version 12.0.2 shortly after 12.0.1, presenting a minor update with subtle but potentially relevant changes for developers. Both versions share the core functionality and aim to simplify command-line interface construction. A key difference lies in the os-locale dependency; version 12.0.2 upgrades this dependency to version ^3.0.0, while 12.0.1 relied on version ^2.0.0. This update likely addresses bug fixes or feature enhancements within the os-locale package related to determining the operating system's locale, which could impact applications that rely on locale-specific behavior.
Another subtle difference appears in the devDependencies, specifically the coveralls dependency. Version 12.0.2 uses coveralls: "^3.0.2", a later patch of the same major release compared to version 12.0.1 which uses coveralls: "^3.0.1". Even though both versions share the same core dependencies like y18n, cliui, and yargs-parser, developers should examine their own projects for compatibility with the updated os-locale, and the coveralls dependency. Furthermore, the unpackedSize increased slightly between versions, and the releaseDate shows that the new version was published in September 2018, a couple of months after the release of version 12.0.1.
All the vulnerabilities related to the version 12.0.2 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
