Closed athammer closed 1 month ago
While updating mocha to v10.3.0
seems okay, I don't see how it removes the CVE-2022-3517 vulnerability. This vulnerability is non-existent in Nightwatch v3.6.1 (latest one).
This vulnerability was fixed in minimatch v3.0.5
and if you check the package-lock.json
for Nightwatch, all the minimatch versions installed are above v3.0.5
. The glob
dependency of minimatch
does mention minimatch version as ^3.0.4
but due to the ^
sign used, the actual version installed is v3.1.2
.
But anyways, this PR looks good to me.
Merged, thanks!
oh interesting, was following our package-lock file and we were installing that minimatch version due to the mocha version in nightwatch. Wondering if it's due to our own internal registry, either way this will fix it for us and hopefully others in our situation. So thank you!
PR to update mocha version to remove CVE-2022-3517 found in the minimatch package that's a dependency of mocha <= 10.2.0.
Tests passed, assuming this one didn't just due to my local env, looks like just a few
__
are missing.examples/tests
directory of the project) and running them.ecosia.js
andduckDuckGo.js
are good examples to work with.features/my-new-feature
orissue/123-my-bugfix
);