Yargs version 8.0.1 is a minor release following closely after 8.0.0, offering developers an updated and refined command-line argument parsing experience. While both versions maintain the core functionality of the pirate-themed successor to optimist, significant updates emerge when comparing their dependencies, which is crucial for developers concerned about stability and security.
Specifically, version 8.0.1 upgrades several key dependencies, notably camelcase from version 3.0.0 to 4.1.0, os-locale from 1.4.0 to 2.0.0, string-width from 1.0.2 to 2.0.0 and yargs-parser from 6.0.1 to 7.0.0. These updates likely include bug fixes, performance improvements, and potentially new features exposed through those libraries. From the devDependencies we have an update of the standard-version from 3.0.0 to 4.0.0. Developers should investigate these dependency changes to understand their impact on their specific use cases. It is advisable for developers using yargs 8.0.0 to upgrade to 8.0.1 to leverage these improvements and bug fixes. Consider testing applications thoroughly after upgrading to ensure compatibility, especially when relying heavily on the changed dependencies. The minor version bump suggests the changes are not expected to introduce breaking changes, but due diligence is crucial for maintaining application stability. The release date difference also indicates a quick response to issues or updates identified in the initial 8.0.0 release.
All the vulnerabilities related to the version 8.0.1 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
