Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 Security: Upgrade yargs-parser and yargs to latest stable version #4903

Open
deathstar1708 opened this issue Jul 20, 2022 · 9 comments · May be fixed by #5165
Open

🔒 Security: Upgrade yargs-parser and yargs to latest stable version #4903

deathstar1708 opened this issue Jul 20, 2022 · 9 comments · May be fixed by #5165
Assignees
@JoshuaKGoldberg
Labels
area: security involving vulnerabilities semver-minor implementation requires increase of "minor" version number; "features" status: accepting prs Mocha can use your help with this one!

Comments

@deathstar1708
Copy link

Currently the mocha@10.0.0 version has not upgraded its yarg-parser and yargs which is causing a security vulnerability (NO-CVE: Regular Expression Denial Of Service (ReDoS)) . Please help upgrade both to the most stable version as of current date. Thank you . Attached are the vulnerability and the most stable release in the npm package library
image
image
@outsideris outsideris added area: security involving vulnerabilities and removed unconfirmed-bug labels Jul 30, 2022
@mattcollier mattcollier mentioned this issue Aug 3, 2022
Closed
@marcel-becker
Copy link

Snyk scan is also flagging Mocha ReDos as a High Risk Vulnerability:
https://security.snyk.io/vuln/SNYK-JS-MOCHA-2863123.

@aljones15 aljones15 mentioned this issue Aug 17, 2022
Closed
@juergba juergba mentioned this issue Oct 31, 2022
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Dec 5, 2022

This issue hasn't had any recent activity, and I'm labeling it stale. Remove the label or comment or this issue will be closed in 14 days. Thanks for contributing to Mocha!

@github-actions github-actions bot added the stale this has been inactive for a while... label Dec 5, 2022
@guimard
Copy link

guimard commented Dec 5, 2022

See also #4938 and #4809

@github-actions github-actions bot removed the stale this has been inactive for a while... label Dec 7, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Apr 7, 2023

This issue hasn't had any recent activity, and I'm labeling it stale. Remove the label or comment or this issue will be closed in 14 days. Thanks for contributing to Mocha!

@github-actions github-actions bot added the stale this has been inactive for a while... label Apr 7, 2023
@mahnunchik
Copy link

Any news about updating yargs-* to latest stable version?

@github-actions github-actions bot removed the stale this has been inactive for a while... label Apr 21, 2023
@github-actions
Copy link
Contributor

This issue hasn't had any recent activity, and I'm labeling it stale. Remove the label or comment or this issue will be closed in 14 days. Thanks for contributing to Mocha!

@github-actions github-actions bot added the stale this has been inactive for a while... label Aug 21, 2023
@guimard
Copy link

guimard commented Aug 21, 2023

Any news about updating yargs-* to latest stable version?

@github-actions github-actions bot removed the stale this has been inactive for a while... label Aug 23, 2023
@JoshuaKGoldberg JoshuaKGoldberg added the status: accepting prs Mocha can use your help with this one! label Dec 27, 2023
@JoshuaKGoldberg
Copy link
Member

Marking as accepting PRs. Note that Mocha's current major version supports Node 14, so any version of a new package must also support 14.

@JoshuaKGoldberg JoshuaKGoldberg changed the title Upgrade yargs-parser and yargs to latest stable version 🔒 Security: Upgrade yargs-parser and yargs to latest stable version Dec 27, 2023
@JoshuaKGoldberg JoshuaKGoldberg self-assigned this Jul 2, 2024
@JoshuaKGoldberg JoshuaKGoldberg added the semver-minor implementation requires increase of "minor" version number; "features" label Jul 2, 2024
@JoshuaKGoldberg JoshuaKGoldberg linked a pull request Jul 2, 2024 that will close this issue
Open
3 tasks
@JoshuaKGoldberg
Copy link
Member

As with #5148 (comment):

We talked internally and will treat this as semver-minor. It's a dependency of the mocha package and not an actual exported part of the API. We'll tackle soon! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoshuaKGoldberg JoshuaKGoldberg

Labels
area: security involving vulnerabilities semver-minor implementation requires increase of "minor" version number; "features" status: accepting prs Mocha can use your help with this one!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: bump yargs to 17 JoshuaKGoldberg/mocha
6 participants
@guimard @outsideris @mahnunchik @marcel-becker @JoshuaKGoldberg @deathstar1708