Mocha 8.1.2 represents a minor version bump over 8.1.1, bringing subtle yet impactful changes for JavaScript developers relying on this popular testing framework. Diving into the dependency updates reveals a shift in key areas. Notably, the debugging library debug moves from version 3.2.6 to 4.1.1, potentially incorporating performance improvements and enhanced debugging capabilities. Log symbols also receive an update, moving from version 3.0.0 to 4.0.0. Developers should check for compatibility. Furthermore, the escape-string-regexp dependency jumps from 1.0.5 to version 4.0.0 signifying improved safety and capabilities when working with regular expressions, and find-up moves from '4.1.0' to '5.0.0'.
On the development dependencies front, several updates occur, showing a commitment to toolchain modernization. Core dependencies like nyc have been updated from 15.0.0 to 15.1.0. Furthermore, there are upgrades for development tools such as remark, @11ty/eleventy, markdownlint-cli, @babel/preset-env, and @rollup/plugin-babel. The most important is probably the karma-sauce-launcher update from 2.0.2 to 4.1.5 which impacts testing on several browsers. These updates may offer enhanced linting, formatting, and build processes, leading to overall better code quality and developer experience. Developers should check the changelogs for breaking change in the tooling chain to proactively respond to the updates. While appearing incremental, these changes collectively contribute to a more robust and reliable testing environment within Mocha.
All the vulnerabilities related to the version 8.1.2 of the package
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
flat vulnerable to Prototype Pollution
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
