Yargs, a popular command-line argument parser, released version 4.8.1 shortly after 4.8.0, offering some subtle but important refinements for developers. The core functionality remains focused on making command-line interfaces more intuitive and user-friendly, but a key difference lies in the dependencies.
Version 4.8.1 upgrades the yargs-parser dependency from version 2.4.0 to 2.4.1 and get-caller-file is introduced as a dependency with version 1.0.1. These updates ensure the library leverages the latest improvements from those packages, potentially impacting parsing behavior and debugging capabilities in positive ways, allowing for an improved and consistent parsing. Previous coveralls and cross-spawn-async from devDependencies were updated respecively with coveralls and cross-spawn.
For developers, these updates mean a smoother experience when defining and handling command-line arguments. While the immediate impact might not be drastic if you're already using yargs, staying current ensures you're benefiting from the most recent bug fixes, performance optimizations, and feature enhancements within the dependency tree. The continued investment in dependencies also illustrates yargs' commitment to staying current and providing developers with the most stable and reliable command-line parsing tool. So, by upgrading they will get the minor improvements and fixes and a safer version overall.
All the vulnerabilities related to the version 4.8.1 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
