Mocha 5.2.0 introduces several key updates and refinements over its predecessor, version 5.1.1. In the dependencies, a notable upgrade is seen in the "supports-color" package, moving from version 4.4.0 to 5.4.0, enhancing terminal color support. The "commander" dependency has also been updated from version 2.11.0 to 2.15.1 improving the argument parsing capabilities of the tool.
The most significant changes reside within the devDependencies, reflecting improvements in the development and testing environment. Core tooling receives updates, including "nyc" (coverage reporting) jumping from 11.2.1 to 11.7.3, and "svgo" (SVG optimizer) which moves to version 1.0.5. The "husky" version is new library used in the newer version meant to improve git hooks. Many utilities and plugins have been updated, suggesting broader refinements to testing, linting, and build processes as well to support newer tools and best practices.
The changes also includes the usage of Prettier and related ESLint packages.
Developers upgrading to Mocha 5.2.0 can expect improved color support in their terminals, enhanced command-line argument parsing, and a more robust development workflow due to updated testing and linting tools. While the core testing API remains consistent, the newer tooling should make the testing easier and more reliable.
The release of course involves code updates but overall if you want to use Mocha library the new release offers a modern, efficient, and developer-friendly experience.
All the vulnerabilities related to the version 5.2.0 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
