Mochawesome 3.0.3 represents a minor version update to the popular Mocha.js reporter, building upon the foundation laid by version 3.0.2. While the core functionality remains consistent -- generating visually appealing and informative HTML/CSS reports for Mocha test suites -- subtle changes enhance the developer experience. Both versions share identical dependencies, leveraging libraries like chalk for stylish console output, lodash for utility functions, and mochawesome-report-generator for the heavy lifting of report creation. Development dependencies, crucial for building and maintaining the package, also remain unchanged, including tools for linting (eslint), code coverage (nyc), and testing (mocha, should, sinon).
The primary distinction between versions lies within the release metadata. Mochawesome 3.0.3 was released on July 25, 2018, a full six months after version 3.0.2, indicating a period of refinement and potential bug fixes. Most notably, the dist object contains more information inside the 3.0.3 version, which provides insights into the packaged size and contents, with a fileCount of 9 and an unpackedSize of 37584 bytes. The existence of such metadata in the newer version suggests a focus on optimizing the package for distribution, offering a more streamlined user experience for developers incorporating Mochawesome into their testing workflows. Developers should consider upgrading to 3.0.3 to leverage any potential improvements or fixes introduced during the intervening months, while maintaining confidence in the stable and well-established feature set.
All the vulnerabilities related to the version 3.0.3 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Inefficient Regular Expression Complexity in validator.js
validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity
