chore: updating mocha from 10.2.0 -> 10.3.0 to remove CVE-2022-3517

athammer commented 2 months ago

PR to update mocha version to remove CVE-2022-3517 found in the minimatch package that's a dependency of mocha <= 10.2.0.

Tests passed, assuming this one didn't just due to my local env, looks like just a few __ are missing. Screenshot 2024-04-29 at 2 26 50 PM

[X] Before marking your PR for review, please test and verify your changes by making appropriate modifications to any of the Nightwatch example tests (present in examples/tests directory of the project) and running them. ecosia.js and duckDuckGo.js are good examples to work with.
[X] Create a new branch from master (e.g. features/my-new-feature or issue/123-my-bugfix);
[ ] If you're fixing a bug also create an issue if one doesn't exist yet;
[ ] If it's a new feature explain why do you think it's necessary. Please check with the maintainers beforehand to make sure it is something that we will accept. Usually we only accept new features if we feel that they will benefit the entire community;
[ ] Please avoid sending PRs which contain drastic or low level changes. If you are certain that the changes are needed, please discuss them beforehand and indicate what the impact will be;
[ ] If your change is based on existing functionality please consider refactoring first. Pull requests that duplicate code will most likely be ignored;
[ ] Do not include changes that are not related to the issue at hand;
[ ] Follow the same coding style with regards to spaces, semicolons, variable naming etc.;
[ ] Always add unit tests - PRs without tests are most of the times ignored.

CLAassistant commented 2 months ago

All committers have signed the CLA.

github-actions[bot] commented 2 months ago

Status

❌ No modified files found in the types directory. Please make sure to include types for any changes you have made. Thank you!.

garg3133 commented 1 month ago

While updating mocha to v10.3.0 seems okay, I don't see how it removes the CVE-2022-3517 vulnerability. This vulnerability is non-existent in Nightwatch v3.6.1 (latest one).

This vulnerability was fixed in minimatch v3.0.5 and if you check the package-lock.json for Nightwatch, all the minimatch versions installed are above v3.0.5. The glob dependency of minimatch does mention minimatch version as ^3.0.4 but due to the ^ sign used, the actual version installed is v3.1.2.

But anyways, this PR looks good to me.

garg3133 commented 1 month ago

Merged, thanks!

athammer commented 1 month ago

oh interesting, was following our package-lock file and we were installing that minimatch version due to the mocha version in nightwatch. Wondering if it's due to our own internal registry, either way this will fix it for us and hopefully others in our situation. So thank you!

nightwatchjs / nightwatch

chore: updating mocha from 10.2.0 -> 10.3.0 to remove CVE-2022-3517 #4199

Status