Yargs, the popular command-line argument parser, saw a release of version 12.0.4 following the previous stable version 12.0.2. Examining the differences, developers will notice updates primarily in the dependencies. Notably, yargs-parser was bumped from version 10.1.0 to 11.1.0. This is a significant change, since yargs relies on this library for the correct parsing and handling of arguments. This could affect the way the developers use yargs to parse command line arguments, introducing new features, bug fixes, or even breaking changes. Developers should carefully review the yargs-parser changelog to understand the implications.
Another change is that the previous version used git+ssh://git@github.com/yargs/yargs.git, instead the new version uses git+https://github.com/yargs/yargs.git.
The decamelize dependency also saw an update, moving from version 2.0.0 in 12.0.2 to 1.2.0 in 12.0.4 which seems a bit strange.
The updated version includes a minor rise in unpacked size, indicating potential additions to the codebase. The release date difference is also significant, with the later version released over 2 months after the older one. Yargs remains a powerful tool for building interactive command-line applications; these updates likely improve argument parsing capabilities and overall stability. Developers should consider these changes when upgrading to ensure compatibility and leverage new features.
All the vulnerabilities related to the version 12.0.4 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
