Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mocha 6.2.3 minimatch fixed version causing security scans to fail #4837

Closed
4 tasks done
Labels
status: wontfix typically a feature which won't be added, or a "bug" which is actually intended behavior

Comments

@agustingabiola
Copy link

Prerequisites

  • Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
  • Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
  • 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
  • Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). Fixed version of minimatch (3.0.4) for mocha version 6.2.3 is causing cloud computing scans to fail.

In the past I've seen doing some upgrade for security reasons to older major versions so I wanted to know if I need to upgrade this service that is in maintenance mode or not. Thanks a lot in advance :)

Steps to Reproduce

N/A

Expected behavior: Security scans don't fail.

Actual behavior: N/A

Reproduces how often: 100%

Versions

  • The output of mocha --version and node_modules/.bin/mocha --version: 6.2.3
@juergba
Copy link
Contributor

juergba commented Mar 1, 2022

@agustingabiola no, Mocha v6.2.3 won't be updated, see also #4759.

@juergba juergba closed this as completed Mar 1, 2022
@juergba juergba added status: wontfix typically a feature which won't be added, or a "bug" which is actually intended behavior and removed unconfirmed-bug labels Mar 1, 2022
@agustingabiola
Copy link
Author

@juergba Thanks for the swift response. Yes, makes total sense and I already pushed for not including dev deps in the scan but they only look at the lock file apparently 🤷🏼 . Have a great day :)

This was referenced Aug 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment