Yargs version 3.2.1 represents a minor update to the popular command-line argument parsing library, building upon the foundation laid by version 3.1.0. While both versions share the core functionality of providing a lightweight and straightforward way to parse command-line arguments into a readily accessible argv hash, version 3.2.1 introduces a key addition for developers: a dependency on the "string" package, specifically any version compatible with "^3.0.0". This suggests enhancements or bug fixes related to string manipulation within the argument parsing process.
Developers considering upgrading from 3.1.0 to 3.2.1 should investigate the implications of the included "string" package dependency. Check the changelog or commit history to see how this new dependency impacts the argument parsing behavior. The core utility of yargs remains the same: simplifying the creation of command-line tools by automatically handling argument parsing and providing a clean interface. Both version share the MIT/X11 license, making the library freely usable in most projects. Be aware of the releaseDate to understand how long ago these versions were released. While older versions can have stable code, modern versions have more features and benefit from community fixes.
All the vulnerabilities related to the version 3.2.1 of the package
Regular Expression Denial of Service in string package
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
There is currently no direct patch for this vulnerability.
Currently, the best solution is to avoid passing user input to the underscore and unescapeHTML methods.
Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.
