Yargs, a popular command-line argument parsing library for Node.js, saw a version bump from 8.0.2 to 9.0.0, marking a potentially significant update for developers. Examining the metadata, the core dependencies remain largely consistent between the two versions, indicating a focus on refinement rather than a complete overhaul of the foundational components. Both versions rely on the same versions of y18n, cliui, camelcase, os-locale, decamelize, read-pkg-up, set-blocking, string-width, which-module, yargs-parser, get-caller-file, require-directory, and require-main-filename. This suggests that the core parsing functionality and internationalization aspects of yargs were deemed stable and reliable.
The devDependencies also exhibit no apparent changes, highlighting a continued commitment to the same testing and development tools, including nyc, chai, mocha, and standard. This demonstrates a consistent approach to code quality and development workflow.
The primary difference lies in the release date. Version 9.0.0 was released on September 3, 2017, while version 8.0.2 was released on June 12, 2017. This three-month gap suggests that the changes introduced in 9.0.0 were substantial enough to warrant a new major version. Developers should consult the changelog for a detailed breakdown of specific bug fixes, feature additions, and potential breaking changes, as the consistent dependency versions indicate that improvements may be internal or subtle behavioral modifications. Upgrading from 8.0.2 to 9.0.0 could introduce minor compatibility issues that will require testing.
All the vulnerabilities related to the version 9.0.0 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
