-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mocha 6.2.3 minimatch fixed version causing security scans to fail #4837
Closed
4 tasks done
agustingabiola opened this issue
Feb 28, 2022
· 2 comments
· Fixed by M0ng00se7169/Kickstart#83 · 4 remaining pull requests
Closed
4 tasks done
mocha 6.2.3 minimatch fixed version causing security scans to fail #4837
agustingabiola opened this issue
Feb 28, 2022
· 2 comments
· Fixed by M0ng00se7169/Kickstart#83 · 4 remaining pull requests
Labels
status: wontfix
typically a feature which won't be added, or a "bug" which is actually intended behavior
Comments
@agustingabiola no, Mocha v6.2.3 won't be updated, see also #4759. |
juergba
added
status: wontfix
typically a feature which won't be added, or a "bug" which is actually intended behavior
and removed
unconfirmed-bug
labels
Mar 1, 2022
@juergba Thanks for the swift response. Yes, makes total sense and I already pushed for not including dev deps in the scan but they only look at the lock file apparently 🤷🏼 . Have a great day :) |
This was referenced Jul 16, 2024
This was referenced Aug 18, 2024
This was referenced Aug 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
status: wontfix
typically a feature which won't be added, or a "bug" which is actually intended behavior
Prerequisites
faq
labelnode_modules/.bin/mocha --version
(Local) andmocha --version
(Global). We recommend that you not install Mocha globally.Description
minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). Fixed version of minimatch (3.0.4) for mocha version 6.2.3 is causing cloud computing scans to fail.
In the past I've seen doing some upgrade for security reasons to older major versions so I wanted to know if I need to upgrade this service that is in maintenance mode or not. Thanks a lot in advance :)
Steps to Reproduce
N/A
Expected behavior: Security scans don't fail.
Actual behavior: N/A
Reproduces how often: 100%
Versions
mocha --version
andnode_modules/.bin/mocha --version
: 6.2.3The text was updated successfully, but these errors were encountered: