Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Bug: Bump serialize-javascript from 6.0.0 to 6.0.2 #5109

Closed
3 of 4 tasks
JesKingDev opened this issue Feb 29, 2024 · 3 comments · Fixed by #5153
Closed
3 of 4 tasks

🐛 Bug: Bump serialize-javascript from 6.0.0 to 6.0.2 #5109

JesKingDev opened this issue Feb 29, 2024 · 3 comments · Fixed by #5153
Assignees
@JoshuaKGoldberg
Labels
status: accepting prs Mocha can use your help with this one! type: bug a defect, confirmed by a maintainer

Comments

@JesKingDev
Copy link

Bug Report Checklist

  • I have read and agree to Mocha's Code of Conduct and Contributing Guidelines
  • I have searched for related issues and issues with the faq label, but none matched my issue.
  • I have 'smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, my usage of Mocha, or Mocha itself.
  • I want to provide a PR to resolve this

Expected

Adding a dependency to the Mocha package should not introduce security vulnerabilities.

Actual

If your project uses Snyk to protect against security vulnerabilities, the Mocha dependency is flagged as problematic due to an explicit lock on serialize-javascript 6.0.0

https://security.snyk.io/package/npm/serialize-javascript

Minimal, Reproducible Example

Refer to https://security.snyk.io/package/npm/serialize-javascript for the vulnerable versions of this package.

Versions

From package-lock.json

"node_modules/mocha": {
      "version": "10.0.0",

I checked the latest Mocha package-lock.json though, and the serialize-javascript version is still at 6.0.0.

Additional Info

No response
@JesKingDev JesKingDev added status: in triage a maintainer should (re-)triage (review) this issue type: bug a defect, confirmed by a maintainer labels Feb 29, 2024
@joelgriffith joelgriffith mentioned this issue Apr 22, 2024
Closed
@silsanchez
Copy link

Hi there! I have the same issue, we are waiting for the resolution, so I will subscribe to noticies about this. thanks!

@JoshuaKGoldberg JoshuaKGoldberg self-assigned this Jul 2, 2024
@JoshuaKGoldberg JoshuaKGoldberg added status: accepting prs Mocha can use your help with this one! and removed status: in triage a maintainer should (re-)triage (review) this issue labels Jul 2, 2024
@JoshuaKGoldberg JoshuaKGoldberg mentioned this issue Jul 2, 2024
Merged
3 tasks
@JoshuaKGoldberg
Copy link
Member

+1, we want to move Mocha off older versions. Tackling as part of #5114 -> #5153!

@JoshuaKGoldberg
Copy link
Member

Released in [email protected]. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoshuaKGoldberg JoshuaKGoldberg

Labels
status: accepting prs Mocha can use your help with this one! type: bug a defect, confirmed by a maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: allow ^ versions for data serialization packages JoshuaKGoldberg/mocha
3 participants
@JoshuaKGoldberg @JesKingDev @silsanchez