Yargs, a popular command-line argument parser, released version 6.4.0, building upon the solid foundation of version 6.3.0. Both versions offer a modern, pirate-themed approach to handling command-line arguments, making them a successor to the well-regarded optimist library. Examining the package manifests reveals a key difference in the yargs-parser dependency. Version 6.4.0 upgrades to yargs-parser version 4.1.0, whereas 6.3.0 relies on version 4.0.2. This update likely incorporates bug fixes, performance improvements, or new features within the argument parsing logic itself, crucial for correct argument interpretation and reliable script behavior.
Another notable distinction lies in the cross-spawn dev dependency. Version 6.4.0 uses cross-spawn version ^5.0.1 while 6.3.0 depends on version ^4.0.0. cross-spawn simplifies cross-platform process spawning, and this update might address compatibility issues or add enhanced functionality for managing child processes across different operating systems, enhancing development workflow for contributors.
These changes mean that any developer upgrading to yargs 6.4.0 should test to confirm that no changes in parsing behavior or use of external processes will impact existing CLI applications. Overall, the update represents a targeted refinement of yargs’ core functionalities and development processes. Developers should consider whether they're directly impacted by upgrades in parsing or reliance on cross-spawn when deciding to update between these revisions.
All the vulnerabilities related to the version 6.4.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
