Mocha 8.1.0 introduces a few key updates compared to version 8.0.1, particularly in its dependencies and development dependencies, impacting specific use cases. Core dependencies see a notable change with serialize-javascript upgraded from version 3.0.0 to 4.0.0, which may influence how JavaScript objects are handled during serialization, potentially affecting complex test setups or data handling. The yargs-unparser dependency updates from 1.6.0 to 1.6.1.
Among the development dependencies, version 8.1.0 brings in several additions and upgrades. The most significant addition is the introduction of rollup and related plugins like @rollup/plugin-json, @rollup/plugin-babel, @rollup/plugin-commonjs, @rollup/plugin-node-resolve, @rollup/plugin-multi-entry, rollup-plugin-node-globals, rollup-plugin-node-builtins, and rollup-plugin-visualizer. These indicate a shift or enhancement in how Mocha is bundled and built, potentially streamlining the development process or improving build performance. Also, the addition of core-js ^3.6.5 provides standardized Javascript environment.
Developers should also note the upgrades to karma, canvas, and assetgraph-builder, which could provide improvements in test running environments and asset handling during development. The removal of browserify, browserify-package-json and image-size indicates a change in the build process, possibly indicating the adoption of Rollup instead. On the other hand, it's worth noting the addition of uuid as a dev dependency. The supports-color gets a major update from 7.1.0. These updates may bring enhanced features, bug fixes, or performance improvements relevant to testing and development workflows.
All the vulnerabilities related to the version 8.1.0 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
