Mocha, a simple, flexible, and fun test framework, saw a minor version update from 1.17.0 to 1.17.1 in January 2014. While the core dependencies remain consistent, including essential tools like diff for comparing outputs, glob for file pattern matching, jade for templating, debug for debugging, growl for notifications, mkdirp for directory creation and commander for command-line interface handling, the update signifies bug fixes and minor improvements rather than significant feature additions. Both versions rely on the same development dependencies, should for assertions and coffee-script for writing tests in CoffeeScript.
Developers already using Mocha 1.17.0 should consider updating to 1.17.1 for stability and reliability enhancements. Although the changelog details are unavailable here, the quick release—within two weeks of the previous version—suggests addressing critical issues found after the 1.17.0 release. New adopters can directly use version 1.17.1 for a more polished initial experience. The consistent dependencies provide assurance of continued compatibility with existing projects leveraging these tools within the Mocha testing environment.
All the vulnerabilities related to the version 1.17.1 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.