Mocha 9.2.0 brings subtle but noteworthy improvements over version 9.1.4, impacting both the core dependencies and the development tooling ecosystem surrounding this popular JavaScript testing framework. Examining the dependencies, the most notable change appears to be an update in glob from version 7.1.7 to 7.2.0 and debug from version 4.3.2 to 4.3.3 and nanoid from 3.1.25 to 3.2.0, potentially bringing minor bug fixes or performance enhancements. workerpool also saw an update, moving from version 6.1.5 to 6.2.0.
The more significant changes reside within devDependencies, which are crucial for developers contributing to or extending Mocha's functionality. Key updates include chai moving from 4.2.0 to 4.3.4, and karma jumping from 6.3.4 to 6.3.11. Multiple libraries like remark, core-js and webpack have received version bumps, bringing in possibly new features or fixes. Notably, fs-extra upgraded from 9.0.1 to 10.0.0. There's also a significant shift in markdown processing libraries with markdown-it moving from 11.0.0 to 12.3.2. Dependency @babel/preset-env bumped to version 7.16.11 from 7.14.8, and @rollup/plugin-json is at the same version, but @rollup/plugin-babel moved from version 5.1.0. This signifies efforts to keep Mocha's development workflow aligned with modern JavaScript standards. Finally, rollup-plugin-visualizer upgraded significantly from 4.1.0 to 5.5.4.
Developers should investigate the changes in these development dependencies to understand their impact on Mocha's build process, testing environment, and plugin ecosystem. The updated releaseDate indicates active maintenance, showing that the mocha-team is on it by keeping the library secure and up-to-date and that's always a good sign.
All the vulnerabilities related to the version 9.2.0 of the package
Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:
Version 3.3.8 and 5.0.9 are fixed.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Cross-site Scripting (XSS) in serialize-javascript
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
