Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mocha package to address security vulnerabilities #82

Merged
merged 2 commits into from
Jun 19, 2019
Merged

Update mocha package to address security vulnerabilities #82

merged 2 commits into from
Jun 19, 2019

Conversation

DanOnCall
Copy link
Contributor

Changes

Update mocha package to address security vulnerabilities found by running npm audit:

                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev [email protected]  to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > debug                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > glob > minimatch                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > growl                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Update manually applied.

References

Vulnerability details are included in the npm audit report shared above.

Testing

Run npm test to test changes. No new tests added.

[ ] This change adds test coverage

[ x ] This change has been tested on the latest stable version of Node.js

Checklist

[ x ] I have read the Auth0 general contribution guidelines

[ x ] I have read the Auth0 Code of Conduct

[ x ] All existing and new tests complete without errors

@DanOnCall DanOnCall requested a review from a team June 19, 2019 16:05
@luisrudge luisrudge merged commit 2c9015b into master Jun 19, 2019
@luisrudge luisrudge deleted the fix-address-mocha-security-vulnerability branch June 19, 2019 17:08
@joshcanhelp joshcanhelp added this to the v1.2.0 milestone Jul 31, 2019
@snyk-bot snyk-bot mentioned this pull request May 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luisrudge luisrudge luisrudge approved these changes

Assignees
No one assigned
Labels
CH: Security
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@DanOnCall @luisrudge @joshcanhelp