Yargs version 15.0.0 represents a notable update from version 14.2.3, bringing changes primarily focused under the hood impacting the internal utilities rather than core functionality, keeping the pirate spirit alive for command-line argument parsing in Node.js. A key difference lies in the updated dependency on yargs-parser, jumping from version 15.0.1 in 14.2.3 to version 16.1.0. This likely includes bug fixes, performance improvements, and potentially new parsing features within yargs itself. Another significant update introduces c8 for code coverage, replacing nyc as a development dependency. This hints at a shift in testing methodology.
While the core functionalities remain consistent, developers upgrading to 15.0.0 benefit from a more refined and potentially more performant argument parsing experience. Consider that with any new version, upgrading all the dependencies including yargs-parser, may require some changes to your code. The shift from nyc to c8 might be interesting for developers deeply invested in code coverage metrics and workflows. Both versions maintain a solid foundation with dependencies like cliui for enhanced command-line interfaces and y18n for internationalization, making yargs a robust choice for building command-line tools. The releaseDate value represents a misleading date for the 14.2.3 package, likely updated on the registry after initial release.
All the vulnerabilities related to the version 15.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
