Please upgrade mocha to latest version to fix vulnerability issues
VitaliiShpital opened this issue · comments
To Reproduce
Step by step instructions to reproduce the behavior:
- run
npm installin this repo - run
npm auditin this repo
Expected behavior
no deps vulnerability issues
Describe the bug
vitalii:~/Work/sanitize-html(main)$ npm audit
# npm audit report
flat <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/flat
yargs-unparser <=1.6.3
Depends on vulnerable versions of flat
node_modules/yargs-unparser
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/mocha/node_modules/minimatch
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
4 vulnerabilities (1 high, 3 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Details
node - 16.14.2
nothing special here. I just cloned this repo to run some tests and realised that there is such an issue
This is a devDependency, installed only for running the tests, never present in projects, therefore there is no vulnerability in practice.
But updating mocha and retesting is a reasonable thing to do. Would you like to do that, test the result and submit a PR?
sure. Here you go!
#611