Mocha 7.2.0 introduces updates and refinements to the popular JavaScript testing framework, building upon the solid foundation of version 7.1.2. While both versions share core dependencies like he, ms, diff, and glob, the key improvements lie within the development dependencies, reflecting a commitment to enhanced tooling and code quality.
Notable updates include enhancements to build and documentation tools. For instance, svgo jumps from 1.2.2 to 1.3.2 potentially impacting SVG optimization during documentation generation, while @11ty/eleventy, a static site generator used for documentation, advances from version 0.8.3 to 0.10.0, bringing the latest features and fixes. Testing and mocking libraries see upgrades with sinon moving from 7.3.2 to 9.0.1 and unexpected from 10.40.2 to 11.13.0, offering expanded capabilities for creating robust tests. Linting and code style tools are also updated, with remark progressing from 10.0.1 to 11.0.2 and eslint plugins receiving attention, ensuring adherence to modern coding standards. Some packages like acorn and markdown-magic are removed.
These updates suggest a focus on modernizing the development workflow, improving documentation quality, and maintaining compatibility with the latest tools in the JavaScript ecosystem which should translate to improved developer experience. Upgrading to version 7.2.0 brings these enhancements, contributing to a more efficient and reliable testing process.
All the vulnerabilities related to the version 7.2.0 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
