Yargs version 15.2.0 introduces several updates compared to its predecessor, version 15.1.0, primarily focused on dependency upgrades and potentially bug fixes or minor feature enhancements. A key difference lies in the yargs-parser dependency, which jumps from version 16.1.0 in v15.1.0 to version 17.1.0 in v15.2.0. This suggests that there might be improvements or fixes in how yargs parses command-line arguments, which is a core functionality of the library, potentially affecting how developers define and handle command-line options.
On the development dependencies side, v15.2.0 sees upgrades to c8 (code coverage tool), chalk (terminal styling), and mocha (testing framework). These updates likely reflect improvements in the testing and development environment for the library, but generally won't directly impact end-users. The other notable difference is the upgrade of which, a utility for locating executables, and of other tools like standard, rimraf, and cross-spawn. Given that Yargs is used to create command-line tools, those changes can make the development experience more smooth. Developers should test their existing yargs commands after upgrading to ensure compatibility with any underlying changes in argument parsing or terminal output handling. Finally, the increase in fileCount and unpackedSize in the dist object can also be attributed to the new features by updated modules or other bug fixes.
All the vulnerabilities related to the version 15.2.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
