Yargs version 15.0.2 builds upon the foundation of 15.0.1, offering developers a refined command-line argument parsing experience. While both versions share core dependencies like y18n for internationalization, cliui for creating user interfaces, and yargs-parser for parsing arguments, the subtle changes under the hood likely address bug fixes, performance improvements, or refinements to existing features. Both versions inherit the benefits of the yargs ecosystem and include the same dev dependencies for testing and code quality.
Developers leveraging yargs gain access to a powerful tool for building interactive command-line applications. They can define commands, options, and arguments with ease, providing users with clear and concise instructions. The ability to handle internationalization, customize output, and create complex argument structures makes yargs a versatile choice.
Specifically for yargs 15.0.2 developers should stay up to date with the latest improvements to dependecies, and notice that the size of the package changed a bit (from 237653 to 238154 unpacked size). The patch version 15.0.2 also introduces the latest bug fixing and refinements so this version should be prefered. The 15.0.2 version ensures compatibility with the broader ecosystem of Node.js tools and libraries to provide a stable and reliable experience.
All the vulnerabilities related to the version 15.0.2 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
