Yargs version 14.1.0 introduces a subtle but important update to its dependency management compared to version 14.0.0. The core functional difference lies in the updated yargs-parser dependency, which jumps from version 13.1.1 to version 14.0.0. This likely incorporates bug fixes, performance improvements, or new features related to argument parsing within yargs.
For developers, this means potentially improved reliability and accuracy in how their command-line arguments are handled. While the other dependencies remain consistent, yargs-parser is crucial for correctly interpreting user input. Therefore, upgrading to 14.1.0 is recommended to benefit from the latest parser enhancements, contributing to a smoother user experience for command-line tools built with yargs. The increased unpacked size, from 230,049 to 233,091, hints at the more complex internal changes. Moreover, the release date difference (roughly a month apart) indicates active maintenance and ongoing improvements to this popular argument parsing library, reflecting a commitment to stability and feature enrichment which is always helpful when you want to adopt or upgrade an Open Source library.
All the vulnerabilities related to the version 14.1.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
