Mocha version 7.1.2 is a patch release following version 7.1.1 of this popular JavaScript testing framework. Both versions retain the same core description: a simple, flexible, and fun testing environment. The dependency structure remains largely consistent, leveraging utilities like he, ms, diff, glob, debug, and yargs for core functionality. Development dependencies, crucial for contributing and maintaining the project, also show near-identical lists, including tools for linting (eslint), formatting (prettier), browser testing(karma, browserify) and code coverage (nyc).
The most notable difference between the two versions lies in the mkdirp dependency; it was updated from version 0.5.3 to 0.5.5. This change, while seemingly minor, likely addresses a bug fix or security concern within the directory creation utility. Other differences may appear in the dist object attributes such as 'fileCount', 'unpackedSize' and 'releaseDate' which reflects the changes introduced in the newer release version. Since it is a patch version, the most important reason to update would be for bugfixes and to keep the project secure and uptodate. For developers using Mocha, upgrading from 7.1.1 to 7.1.2 is recommended to benefit from these potentially critical improvements.
All the vulnerabilities related to the version 7.1.2 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
