Mocha 6.1.0 represents an incremental update over version 6.0.2 of this popular JavaScript test framework. Both versions maintain the core promise of providing a simple, flexible, and fun testing experience. Looking at the dependencies, several key updates stand out. Notably, yargs jumps from version 12.0.5 to 13.2.2, bringing potential enhancements in command-line argument parsing. js-yaml moves from 3.12.0 to 3.13.0, suggesting improvements in YAML parsing capabilities. findup-sync is replaced by find-up, indicating a shift in how the module locates files in directory structures; this could affect module resolution during testing. Analyzing the devDependencies, there are less impactful although still worthy changes. svgo updates from 1.1.1 to 1.2.0, improving SVG optimization. karma sees an upgrade from 4.0.0 to 4.0.1. eslint goes from 5.14.1 to 5.15.0, delivering linting improvements and newer rules. @mocha/docdash advances from 2.0.0 to 2.1.0 improving the documentation theming. karma-sauce-launcher goes from 1.2.0 to 2.0.2 probably changing some configurations for the test launcher. The file size changes from 968724 to 1011532 bytes impacting the performance. These upgrades collectively suggest a focus on refining command-line interactions, staying current with linting best practices, enhancing documentation, and potentially optimizing test execution environments. Developers should evaluate these refined dependencies to ensure compatibility with their existing projects.
All the vulnerabilities related to the version 6.1.0 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Code Injection in js-yaml
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}
Upgrade to version 3.13.1.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
