Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: updating mocha from 10.2.0 -> 10.3.0 to remove CVE-2022-3517 #4199

Merged
merged 2 commits into from
May 8, 2024

Conversation

athammer
Copy link
Contributor

PR to update mocha version to remove CVE-2022-3517 found in the minimatch package that's a dependency of mocha <= 10.2.0.

Tests passed, assuming this one didn't just due to my local env, looks like just a few __ are missing.
Screenshot 2024-04-29 at 2 26 50 PM

  • Before marking your PR for review, please test and verify your changes by making appropriate modifications to any of the Nightwatch example tests (present in examples/tests directory of the project) and running them. ecosia.js and duckDuckGo.js are good examples to work with.
  • Create a new branch from master (e.g. features/my-new-feature or issue/123-my-bugfix);
  • If you're fixing a bug also create an issue if one doesn't exist yet;
  • If it's a new feature explain why do you think it's necessary. Please check with the maintainers beforehand to make sure it is something that we will accept. Usually we only accept new features if we feel that they will benefit the entire community;
  • Please avoid sending PRs which contain drastic or low level changes. If you are certain that the changes are needed, please discuss them beforehand and indicate what the impact will be;
  • If your change is based on existing functionality please consider refactoring first. Pull requests that duplicate code will most likely be ignored;
  • Do not include changes that are not related to the issue at hand;
  • Follow the same coding style with regards to spaces, semicolons, variable naming etc.;
  • Always add unit tests - PRs without tests are most of the times ignored.

@CLAassistant
Copy link

CLAassistant commented Apr 29, 2024

CLA assistant check
All committers have signed the CLA.

Copy link

github-actions bot commented May 3, 2024

Status

  • ❌ No modified files found in the types directory.
    Please make sure to include types for any changes you have made. Thank you!.

@garg3133
Copy link
Member

garg3133 commented May 8, 2024

While updating mocha to v10.3.0 seems okay, I don't see how it removes the CVE-2022-3517 vulnerability. This vulnerability is non-existent in Nightwatch v3.6.1 (latest one).

This vulnerability was fixed in minimatch v3.0.5 and if you check the package-lock.json for Nightwatch, all the minimatch versions installed are above v3.0.5. The glob dependency of minimatch does mention minimatch version as ^3.0.4 but due to the ^ sign used, the actual version installed is v3.1.2.

But anyways, this PR looks good to me.

@garg3133 garg3133 merged commit d0d3ccf into nightwatchjs:main May 8, 2024
17 checks passed
@garg3133
Copy link
Member

garg3133 commented May 8, 2024

Merged, thanks!

@athammer
Copy link
Contributor Author

athammer commented May 8, 2024

oh interesting, was following our package-lock file and we were installing that minimatch version due to the mocha version in nightwatch. Wondering if it's due to our own internal registry, either way this will fix it for us and hopefully others in our situation. So thank you!

dikwickley pushed a commit to dikwickley/nightwatch that referenced this pull request Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants