Mocha version 4.0.0 represents an evolution from the 3.5.3 release of this popular JavaScript testing framework. Developers will notice immediate dependency updates, impacting the underlying tools used for testing and development workflows. Key dependencies like diff are bumped from version 3.2.0 to 3.3.1, and glob sees an update to 7.1.2 from 7.1.1. Debugging gets an upgrade with debug moving from 2.6.8 to 3.1.0. The supports-color dependency jumps significantly from 3.1.2 to 4.4.0, potentially offering improved terminal color support during test runs.
The development dependencies also reflect notable changes. The older version relied on eslint version 3.11.1 while the new version is using 4.7.2. Several outdated packages have been removed and new ones added, meaning the team has updated the dev workflow to more suitable packages. One major difference is that phantomjs and karma-phantomjs-launcher are not present in the latest version, probably suggesting the team is relying on more maintained headless browsers like chrome.
These updates likely bring performance improvements, bug fixes, and new features within those individual dependencies. Developers should review the changelogs of these updated dependencies to fully understand the implications for their testing environment. The updated versions of eslint, eslint config standard and eslint plugin promise will impose new linting rules that should be considered when contributing or integrating with other projects. Review your mocha setup carefully before upgrading to have a seamless experience.
All the vulnerabilities related to the version 4.0.0 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
