🚨 [security] Update mocha 10.2.0 → 10.7.3 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ mocha (10.2.0 → 10.7.3) · Repo · Changelog

Release Notes

10.7.3

10.7.3 (2024-08-09)

🩹 Fixes

• make release-please build work (#5194) (afd66ef)

10.7.0

What's Changed

• feat: add option to not fail on failing test suite by @ilgonmic in #4771

New Contributors

• @ilgonmic made their first contribution in #4771

Full Changelog: v10.6.1...v10.7.0

10.6.1

What's Changed

• fix: do not exit when only unref'd timer is present in test code by @boneskull in #3825
• fix: support canonical module by @JacobLey in #5040

Full Changelog: v10.6.0...v10.6.1

10.6.0

What's Changed

• feat: allow ^ versions for character encoding packages by @JoshuaKGoldberg in #5150
• feat: allow ^ versions for yargs packages by @JoshuaKGoldberg in #5152
• feat: allow ^ versions for file matching packages by @JoshuaKGoldberg in #5151
• feat: allow ^ versions for data serialization packages by @JoshuaKGoldberg in #5153
• feat: allow ^ versions for miscellaneous packages by @JoshuaKGoldberg in #5154

Full Changelog: v10.5.2...v10.6.0

10.5.2

What's Changed

• fix: better tracking of seen objects in error serialization by @sam-super in #5032

New Contributors

• @sam-super made their first contribution in #5032

Full Changelog: v10.5.1...v10.5.2

10.5.1

What's Changed

• fix: Add error handling for nonexistent file case with --file option by @khoaHyh in #5086

New Contributors

• @khoaHyh made their first contribution in #5086

Full Changelog: v10.5.0...v10.5.1

10.5.0

🎉 Enhancements

• #5015 feat: use <progress> and <svg> for browser progress indicator instead of <canvas> (@yourWaifu)
• #5143 feat: allow using any 3.x chokidar dependencies (@simhnna)
• #4835 feat: add MOCHA_OPTIONS env variable (@icholy)

🐛 Fixes

• #5107 fix: include stack in browser uncaught error reporting (@JoshuaKGoldberg)

🔩 Other

• #5110 chore: switch two-column list styles to be opt-in (@marjys)
• #5135 chore: fix some typos in comments (@StevenMia)
• #5130 chore: rename 'master' to 'main' in docs and tooling (@JoshuaKGoldberg)

10.4.0

10.4.0 / 2024-03-26

🎉 Enhancements

• #4829 feat: include .cause stacks in the error stack traces (@voxpelli)
• #4985 feat: add file path to xunit reporter (@bmish)

🐛 Fixes

• #5074 fix: harden error handling in lib/cli/run.js (@stalet)

🔩 Other

• #5077 chore: add mtfoley/pr-compliance-action (@JoshuaKGoldberg)
• #5060 chore: migrate ESLint config to flat config (@JoshuaKGoldberg)
• #5095 chore: revert #5069 to restore Netlify builds (@voxpelli)
• #5097 docs: add sponsored to sponsorship link rels (@JoshuaKGoldberg)
• #5093 chore: add 'status: in triage' label to issue templates and docs (@JoshuaKGoldberg)
• #5083 docs: fix CHANGELOG.md headings to start with a root-level h1 (@JoshuaKGoldberg)
• #5100 chore: fix header generation and production build crashes (@JoshuaKGoldberg)
• #5104 chore: bump ESLint ecmaVersion to 2020 (@JoshuaKGoldberg)
• #5116 fix: eleventy template builds crash with 'unexpected token at ": string, msg..."' (@LcsK)
• #4869 docs: fix documentation concerning glob expansion on UNIX (@binki)
• #5122 test: fix xunit integration test (@voxpelli)
• #5123 chore: activate dependabot for workflows (@voxpelli)
• #5125 build(deps): bump the github-actions group with 2 updates (@dependabot)

10.3.0

This is a stable release equivalent to v10.3.0-preminor.0.

What's Changed

• Fix deprecated warn gh actions by @outsideris in #4962
• fix #4837 Update glob due to vulnerability in dep by @jb2311 in #4970
• Add Node v19 to test matrix by @juergba in #4974
• chore: fix the ci by @Uzlopak in #5020
• update can-i-use by @Uzlopak in #5021
• chore: remove uuid dev dependency by @Uzlopak in #5022
• chore: remove nanoid as dependency by @Uzlopak in #5024
• chore: remove touch as dev dependency by @Uzlopak in #5023
• chore: remove stale workflow by @JoshuaKGoldberg in #5029
• docs: fix fragment ID for yargs' "extends" documentation by @Spencer-Doak in #4918
• docs: use mocha.js instead of mocha in the example run by @nikolas in #4927
• docs: fix jsdoc return type of titlePath method by @F3n67u in #4886
• docs: overhaul contributing and maintenance docs for end-of-year 2023 by @JoshuaKGoldberg in #5038
• docs: touchups to labels and a template title post-revamp by @JoshuaKGoldberg in #5050
• fix: add alt text to Built with Netlify badge by @JoshuaKGoldberg in #5068
• chore: inline nyan reporter's write function by @JoshuaKGoldberg in #5056
• chore: remove unnecessary canvas dependency by @JoshuaKGoldberg in #5069

New Contributors

• @jb2311 made their first contribution in #4970
• @Uzlopak made their first contribution in #5020
• @Spencer-Doak made their first contribution in #4918
• @nikolas made their first contribution in #4927
• @F3n67u made their first contribution in #4886

Full Changelog: v10.2.0...v10.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ansi-colors (indirect, 4.1.1 → 4.1.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ binary-extensions (indirect, 2.2.0 → 2.3.0) · Repo

Release Notes

2.3.0

• Add afdesign, afphoto, and afpub (#30) 11b0135

v2.2.0...v2.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ chokidar (indirect, 3.5.3 → 3.6.0) · Repo · Changelog

Release Notes

3.6.0

What's Changed

• fix readyCount logic by @JLHwung in #1288
• handle MustScanSubDirs by @MarcCelani-at in #1197
• update fs.FSWatcher types to satisfy nodejs versions >= 16; fixes #1299 by @ben-polinsky in #1300

New Contributors

• @Mutahhar made their first contribution in #1226
• @zqianem made their first contribution in #1242
• @JLHwung made their first contribution in #1288
• @MarcCelani-at made their first contribution in #1197
• @ben-polinsky made their first contribution in #1300

Full Changelog: 3.5.3...3.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ diff (indirect, 5.0.0 → 5.2.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ serialize-javascript (indirect, 6.0.0 → 6.0.2) · Repo

Release Notes

6.0.2

• fix: serialize URL string contents to prevent XSS (#173) f27d65d
• Bump @babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
• docs: update readme with URL support (#146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#164) 5a1fa64

v6.0.1...v6.0.2

6.0.1

What's Changed

• Bump mocha from 9.0.1 to 9.0.2 by @dependabot in #126
• Bump mocha from 9.0.2 to 9.0.3 by @dependabot in #127
• Bump path-parse from 1.0.6 to 1.0.7 by @dependabot in #129
• Bump mocha from 9.0.3 to 9.1.0 by @dependabot in #130
• Bump mocha from 9.1.0 to 9.1.1 by @dependabot in #131
• Bump mocha from 9.1.1 to 9.1.2 by @dependabot in #132
• Bump mocha from 9.1.2 to 9.1.3 by @dependabot in #133
• Bump mocha from 9.1.3 to 9.1.4 by @dependabot in #137
• Bump mocha from 9.1.4 to 9.2.0 by @dependabot in #138
• Bump chai from 4.3.4 to 4.3.6 by @dependabot in #140
• Bump ansi-regex from 5.0.0 to 5.0.1 by @dependabot in #141
• Bump mocha from 9.2.0 to 9.2.2 by @dependabot in #143
• Bump minimist from 1.2.5 to 1.2.6 by @dependabot in #144
• Bump mocha from 9.2.2 to 10.0.0 by @dependabot in #145
• Bump mocha from 10.0.0 to 10.1.0 by @dependabot in #149
• Bump chai from 4.3.6 to 4.3.7 by @dependabot in #150
• ci: test.yml - actions bump by @piwysocki in #151
• Bump minimatch from 3.0.4 to 3.1.2 by @dependabot in #152
• Bump mocha from 10.1.0 to 10.2.0 by @dependabot in #153
• Bump json5 from 2.1.3 to 2.2.3 by @dependabot in #155
• Fix serialization issue for 0n. by @momocow in #156
• Release v6.0.1 by @okuryu in #157

New Contributors

• @piwysocki made their first contribution in #151
• @momocow made their first contribution in #156

Full Changelog: v6.0.0...v6.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ workerpool (indirect, 6.2.1 → 6.5.1) · Repo · Changelog

Release Notes

6.5.1 (from changelog)

• Fix: workerThreadOpts not working when workerType: auto, see #357.

6.5.0 (from changelog)

• Implement support for passing options to web workers constructors (#400, #322). Thanks @DonatJR.

6.4.2 (from changelog)

• Fix: a bug in the timeout of termination (#395, #387). Thanks @Michsior14.

6.4.1 (from changelog)

• Fix: worker termination before it's ready (#394, #387). Thanks @Michsior14.

6.4.0 (from changelog)

• Support transferable objects (#3, #374). Thanks @Michsior14.
• Implement a new callback onTerminate at the worker side, which can be used to clean up resources, and an option workerTerminateTimeout which forcefully terminates a worker if it doesn't finish in time (#353, #377). Thanks @Michsior14.
• Pass workerThreadOpts to the onTerminateWorker callback (#376). Thanks @Michsior14.

6.3.1 (from changelog)

• Fix #318: debug ports not being released when terminating a pool.

6.3.0 (from changelog)

• Implement option workerThreadOpts to pass options to a worker of type thread, a worker_thread (#357, fixes #356). Thanks @galElmalah.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ yargs-parser (indirect, 20.2.4 → 20.2.9)

Sorry, we couldn't find anything useful about this release.

🆕 css-what (added, 2.1.3)

🆕 json-schema (added, 0.2.3)

🆕 nth-check (added, 1.0.2)

🆕 postcss (added, 7.0.39)

🆕 qs (added, 6.5.3)

🆕 sanitize-html (added, 1.27.5)

🗑️ call-bind (removed)

🗑️ get-intrinsic (removed)

🗑️ has-proto (removed)

🗑️ has-symbols (removed)

🗑️ is-plain-object (removed)

🗑️ nanoid (removed)

🗑️ object-inspect (removed)

🗑️ side-channel (removed)

🗑️ source-map-js (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closing because this update has already been applied