Security issue with js-yaml (dependency of mocha)
meszaros-lajos-gyorgy opened this issue · 4 comments
meszaros-lajos-gyorgy commented
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Code Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.13.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ reload [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ reload > mocha > js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/813 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Mocha is currently hardcoded to version 6.1.0, which should be changed to a range version in the long run.
Mocha is already working on a fix (mochajs/mocha#3876), so renovate should be held back until the next release.
meszaros-lajos-gyorgy commented
A fix is out in version 6.1.4: https://github.com/mochajs/mocha/releases/tag/v6.1.4
cekvenich commented
Does mocha need to be dependency? Maybe it is just dev dependency.
alallier commented
@cekvenich you make a good point that's an error on my behalf mocha should be in the dev dependencies. I'll open an issue (#186)!
Thanks @meszaros-lajos-gyorgy I'll see if I can get these things merged tomorrow