Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mocha update needed to resolve Regular Expression Denial of Service (ReDoS) #3506

Closed
molyholy opened this issue Nov 30, 2022 · 4 comments · Fixed by #3860
Closed

Mocha update needed to resolve Regular Expression Denial of Service (ReDoS) #3506

molyholy opened this issue Nov 30, 2022 · 4 comments · Fixed by #3860
Labels
mocha Issues related to Mocha test runner

Comments

@molyholy
Copy link

molyholy commented Nov 30, 2022
edited
Loading

Description of the bug/issue

Vulnerability described here https://security.snyk.io/package/npm/mocha/9.2.2
@AutomatedTester
Copy link
Member

@beatfactor I remember you saying something about Mocha as a dependency. Is this something we can just upgrade or is this the ESM issue I remember you mentioning?

@AutomatedTester AutomatedTester added the mocha Issues related to Mocha test runner label Dec 13, 2022
@beatfactor
Copy link
Member

We would need to use Mocha 10 but it will probably introduce breaking changes.

@telion2
Copy link

telion2 commented Feb 1, 2023

Hello, what the status on this?
Btw. These are the changes from 9.2.2 -> 10.2.0:
mochajs/mocha@v9.2.2...v10.2.0
Or here as a list of breaking changes: https://github.com/mochajs/mocha/releases/tag/v10.0.0
Looks like they dropped support for IE and Node 12.

So will you upgrade, replace mocha or hope that mocha fixes the Issue for 9.2.2?

@telion2
Copy link

telion2 commented Feb 1, 2023
edited
Loading

For those who want a fix asap: You can add:

//package.json
"overrides": {
    "mocha": "^10.2.0"
  }

in your package.json, hit npm install and try if it works for you. It worked in my projects without issue.

@ert78gb ert78gb mentioned this issue Aug 4, 2023
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mocha Issues related to Mocha test runner
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: bump mocha 9.2.2 => 10.2.0 ert78gb/nightwatch
4 participants
@AutomatedTester @beatfactor @molyholy @telion2