Yargs version 4.4.0 represents a minor update to the popular command-line argument parsing library, building upon the foundation established in version 4.3.2. Developers leveraging Yargs for their Node.js CLIs will find subtle but worthwhile enhancements. Examining the dependency updates, y18n is bumped from ^3.2.0 to ^3.2.1, and cliui moves from ^3.0.3 to ^3.1.2. Crucially, yargs-parser, the engine responsible for interpreting command-line arguments, sees an upgrade from ^2.1.1 to ^2.2.0. These dependency updates likely incorporate bug fixes, performance improvements, and new features in the related modules, leading to a more robust and reliable argument parsing experience for end-users.
On the development side, nyc (Istanbul's command line interface) is updated from ^6.0.0 to ^6.1.1, while chalk moves from ^1.1.1 to ^1.1.3 and coveralls advances from ^2.11.4 to ^2.11.9. These updates likely enhance the testing and code coverage reporting capabilities, aiding developers in ensuring the quality and stability of their Yargs-powered CLIs. While the core functionality remains consistent, developers are encouraged to upgrade to version 4.4.0 to benefit from these incremental improvements and dependency enhancements, promoting a smoother and more reliable parsing solution.
All the vulnerabilities related to the version 4.4.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
