Bump jest version in @vue/cli-plugin-unit-jest

[fourpixels]

What problem does this feature solve?

It's been said that Jest 24 comes with the option to transpile globalSetup files using babel (to use ES6 modules), but current jest version in cli-plugin-unit-jest is "^23.6.0"

What does the proposed API look like?

"^24.1.0"

[st-sloth]

Beside the new options, the current jest ^23.6.0 transitively depends on braces ^1.8.2 through micromatch ^2.3.11.

This causes the vue-projects that use the current @vue/cli-plugin-unit-jest to have 63 low severity vulnerabilities because of https://www.npmjs.com/advisories/786.

Similar to #3257 but it is nightwatch there.

[dcrystalj]

is there any workaround yet?

[bendebebe]

According to: facebook/jest#6743

Unless you're using micromatch to generate passwords or API tokens, I think it's safe to say that this is unlikely to actually be a concern

You should be able to use v23.6.0 in the meantime - of course, that's only if you aren't taking advantage of v24 already.

[fourpixels]

Any news? Are there any blockers to do so? It's been a while..

[thomasmichaelwallace]

I've been successful with yarn resolutions adding the following to package.json

  "resolutions": {
    "@vue/cli-plugin-unit-jest/jest": "^24.6.0",
    "@vue/cli-plugin-unit-jest/babel-jest": "^24.6.0"
  },

[grtjn]

It seems it is fixed in 4-alpha, but not in 3.8.2 yet. Could it be bumped in v3 branch as well? Getting one vulnerability message repeated 63 times for just a dev dependency, even if it is just low, is pretty disturbing..

[haoqunjiang]

We can't. Because it's a breaking change.