Yup is a popular JavaScript schema builder for value parsing and validation. Version 0.28.0 introduces some improvements over the previous stable version, 0.27.0. While both versions share the same core dependencies like lodash, fn-name, toposort, property-expr, @babel/runtime, and synchronous-promise, the key difference lies in the updated release date and the slightly increased unpacked size of the package. Version 0.28.0 was released in December 2019, whereas 0.27.0 was released in March 2019.
For developers, this means version 0.28.0 likely includes bug fixes, performance improvements, or minor feature enhancements accumulated over the intervening months. Although the core dependencies remain consistent, potential internal code modifications justify the larger unpacked size observed in 0.28.0 (143372 bytes compared to 134883 bytes in 0.27.0), suggesting additional features or refined implementations. Developers should always consult the changelog or release notes for the specific differences and upgrade guides when moving between versions to ensure compatibility and leverage the latest improvements in schema validation. The consistent set of devDependencies indicates a stable development environment with familiar testing and linting tools like Chai, Jest, ESLint, and Rollup.
All the vulnerabilities related to the version 0.28.0 of the package
Prototype Pollution in property-expr
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
