Security: Update mocha dependency
TigerC10 opened this issue · 2 comments
The mocha package depends on growl. In mocha 3.5.0
, it uses growl 1.9.2
which is susceptible to command injection.
https://nodesecurity.io/advisories/146
Need to get growl up to 1.10.2
. Updating mocha to 5.1.1
will satisfy.
Interesting that this warning is not covered with Github's new security alerts. Thanks for taking care of it in #114 !
I know that npm v6.0.0 has its new audit feature, but since that was just released I suppose Github's security alerts haven't integrated it yet? All I know is that when I forked the project to fix #113 I ran the npm install
and it gave me the npm audit
warning. ¯_(ツ)_/¯
If Github's security alerts have included npm's new audit feature, then perhaps because it's a devDependency they let it slide?