❯ yarn audit --level critical
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.2.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1067342 │
└───────────────┴──────────────────────────────────────────────────────────────┘
11 vulnerabilities found - Packages audited: 508
Severity: 2 Low | 6 Moderate | 2 High | 1 Critical
✨ Done in 0.80s.
After updating to mocha@6:
❯ yarn audit --level critical
yarn audit v1.22.19
warning mocha > debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
warning mocha > mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
8 vulnerabilities found - Packages audited: 566
Severity: 2 Low | 5 Moderate | 1 High
✨ Done in 1.31s.
Using
mocha@4
:After updating to
mocha@6
: