Yargs version 8.0.0 introduces notable updates compared to its predecessor, version 7.1.2, primarily affecting its internal tooling and dependency management. A key difference lies in the updated yargs-parser dependency, moving from version 5.0.1 in 7.1.2 to version 6.0.1 in 8.0.0. This signifies enhancements in the argument parsing capabilities, potentially offering developers more flexible and robust command-line argument handling.
Furthermore, version 8.0.0 adds the yargs-test-extends package as a development dependency, which points towards improved testing infrastructure and potentially more reliable extensions for the yargs library. nyc has also been updated from version 10.0.0 to 10.3.0. Developers benefit from enhanced test coverage reporting.
Another key distinction is the release date, where version 8.0.0 was released in May 2017, compared to April 2021 for version 7.1.2, indicating a significant gap in time and subsequent advancements incorporated into each release. Although many core dependencies remain the same, these subtle shifts reflect ongoing refinements and improvements to the library. Existing users should evaluate if the updated argument parsing and tooling align with their project’s evolving needs, while new users can expect a more modern and refined command-line argument parsing experience.
All the vulnerabilities related to the version 8.0.0 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
