search

Blizzard / node-rdkafka

Node.js bindings for librdkafka
MIT License
2.1k stars 390 forks source link

Upgrade to mocha ^10.2.0 to reduce vulnerabilities. #993

Closed TonyJDavies closed 1 year ago

TonyJDavies commented 1 year ago

Mocha stopped support for mocha.opts at version 8.0.0 so the changes here simply add --ui exports so that mocha can be moved to the latest version.

This also eliminates a number of vulnerabilities as shown by npm audit report below:

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/mocha/node_modules/minimatch
  mocha  1.21.5 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of mkdirp
  node_modules/mocha

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mocha/node_modules/mkdirp

4 vulnerabilities (1 moderate, 2 high, 1 critical)
TonyJDavies commented 1 year ago

@webmakersteve, @GaryWilber - Please could a maintainer approve the workflow for this to be tested. Hopefully I've done everything needed for this but it would really help to eliminate these vulnerabilities. Thanks.

GaryWilber commented 1 year ago

Thanks for the PR. I updated the package as part of #997