Mocha-runner is a streamlined tool designed to simplify running Mocha tests, especially valuable for developers seeking a quick setup without extensive configurations. It bundles essential assertion and mocking libraries like Chai, Sinon, Sinon-Chai, and Chai-Fuzzy, allowing developers to immediately write expressive and comprehensive tests. The core functionality remains consistent between versions 3.0.0 and 3.0.1, with both accepting glob patterns to specify test files, enhancing flexibility in project organization.
The subtle update from version 3.0.0 released in June 2019, to version 3.0.1 released a month later in July primarily involves minor dependency updates likely targeting bug fixes or performance enhancements. Specifically, the "extend" dependency sees a shift from "^3.0.0" to "3.0.2", and "underscore" moves from "^1.8.2" to "1.9.1", suggesting potential improvements in object extension and utility functions. The unpacked size of the package also increased slightly. These changes wouldn't introduce breaking changes or new features, but help ensure a more reliable testing environment by leveraging the latest patch releases of underlying utilities, leading to increased stability with minimal disruption. By using mocha-runner developers can spend their time focusing on what matters: writing great code and great tests.
All the vulnerabilities related to the version 3.0.1 of the package
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
