Yargs version 4.8.0 brings several notable changes compared to its predecessor, version 4.7.1. The core functionality remains consistent, providing a robust command-line argument parser. Key dependencies have been updated, impacting the internal workings and potentially improving performance and security. In dependencies, require-directory at version ^2.1.1 is newly introduced in 4.8.0, while pkg-conf and camelcase are removed from the dependencies. set-blocking also sees an upgrade from 1.0.0 to 2.0.0. These dependency changes reflects a shift in how yargs handles configuration and internal module loading. For developers, this translates to potentially different import statements related to setting blocking operations and configuration lookups.
In the devDependencies section, nyc experienced an upgrade (from 6.4.2 to 7.0.0), as did which(from 1.1.2 to 1.2.9) and mocha 2.4.5 to 2.5.2. This suggests improvements in test coverage, Node.js module path resolution and testing framework. These updates contribute to a more stable and reliable development environment. Overall, version 4.8.0 delivers incremental improvements, primarily through dependency updates that aim to modernize the library and enhance its internal workings. Developers should review the changed dependencies and adapt their code accordingly to ensure seamless integration.
All the vulnerabilities related to the version 4.8.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
