Mocha version 10.0.0 brings several updates compared to version 9.2.2, impacting both dependencies and developer tooling. In the dependencies section, debug is updated from 4.3.3 to 4.3.4, glob from 7.2.0 it remains the same, minimatch is upgraded from 4.2.1 to 5.0.1, and workerpool gets a bump from 6.2.0 to 6.2.1. These Dependency updates likely incorporate bug fixes and performance improvements, ensuring smoother operation and compatibility.
The devDependencies section shows more significant alterations. Notably, rollup sees an upgrade from version 2.66.0 to 2.70.1 suggesting build process enhancements. A few packages present in version 9.2.2, such as core-js, requirejs, @babel/preset-env, @rollup/plugin-babel, rollup-plugin-node-polyfills and coffee-script are removed in the newer version, potentially indicating a shift in the project's build or testing strategy. Conversely, new packages like @mocha/docdash version 4.0.1 and missing ones are added in version 10.0.0, potentially improving documentation generation and other development workflows. The update of @11ty/eleventy from 0.12.1 to 1.0.0 and other packages suggests improvements in static site generation for documentation or project websites. These changes collectively reflect an effort to modernize the build pipeline, improve documentation, and streamline the development experience. Finally, the fileCount in the dist section decreases from 75 to 70 and the unpackedSize is almost reduced to half, from 3907386 to 2081880, suggesting significant optimization and improved performance, developers benefit from a leaner and more efficient testing framework.
All the vulnerabilities related to the version 10.0.0 of the package
Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:
Version 3.3.8 and 5.0.9 are fixed.
Cross-site Scripting (XSS) in serialize-javascript
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
