Mocha is a versatile and widely-used JavaScript test framework, known for its simplicity and flexibility in writing and running tests for Node.js and browser applications. Versions 5.0.0 and 5.0.1 are closely related iterations of this popular library. Examining both, it is evident that they share identical dependencies, including "he" for HTML entity encoding, "diff" for comparing text, and "glob" for file pattern matching, as well as development dependencies such as "eslint" for code linting and "browserify" for bundling. Crucially, both versions depend on the same core packages to ensure consistent performance and capabilities.
A notable change separating version 5.0.1 from 5.0.0 lies in the release date, indicating that version 5.0.1 followed shortly after, with a release on February 13, 2018, compared to January 18, 2018, for version 5.0.0. This suggests that version 5.0.1 likely incorporates bug fixes or minor improvements identified shortly after the initial 5.0.0 release. The "dist" object within the package data illuminates the distribution details; specifically, version 5.0.1 includes a "fileCount" of 54 and an "unpackedSize" of 849711, whereas 5.0.0 possesses only the basic information about the tarball. If upgrading from 5.0.0, developers should anticipate minor enhancements, likely stability improvements, and an increased unpacked size on disk. As such, developers relying on Mocha should transition to 5.0.1, gaining the benefit of recent updates and fixes.
All the vulnerabilities related to the version 5.0.1 of the package
Regular Expression Denial of Service (ReDoS)
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
