Yargs version 15.0.1 represents a minor patch release following version 15.0.0, focusing on refinements and dependency updates rather than introducing major new features. Both versions maintain the core functionality of yargs as a modern, pirate-themed command-line argument parser, ideal for Node.js applications. Developers familiar with yargs will find the update to 15.0.1 seamless.
Key differences lie in the updated dependencies. Version 15.0.1 upgrades cliui from version 5.0.0 to version 6.0.0 and string-width from version 3.0.0 to 4.2.0 potentially improving the command-line interface layout and string handling capabilities. These updates likely address subtle bugs or introduce performance enhancements related to terminal output. Version 15.0.0 had a dev dependency on standard-version (^7.0.0) which is not present in version 15.0.1 which is weird, so maybe they use another tool to manage versions now.
For developers, this means potentially better formatted help messages and more accurate handling of string lengths in their command-line interfaces. While the core API of yargs remains consistent between the two versions, the underlying improvements offer a refined experience. If you are using yargs, upgrading to 15.0.1 is recommended to take advantage of these dependency updates. The unpacked size of version 15.0.1 is slightly bigger (237653) compared to 15.0.0 (237392).
All the vulnerabilities related to the version 15.0.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
