Obsolete Mocha depends on vulnerable Growl

Question

Obsolete Mocha depends on vulnerable Growl

Closed this issue 6 years ago · 5 comments

This package currently depends on Mocha 3.4.2, which in turn depends on Growl 1.9.2. Growl <1.10.2 are vulnerable to arbitrary command injection, so npm audit run in a Zapier app with the Mocha dev dependency reports that advisory as a critical security issue. Mocha is currently up to 5.1.1, which depends on Growl 1.10.3. It would be nice to bump this package to the current Mocha to avoid the reported security issue.

Answer 1 · 2018-05-14T17:17:57.000Z

For what it's worth, a brief skim of the Mocha 5.0.0 and 4.0.0 didn't turn up anything too suspicious, and with my app,

$ npm install --only=dev 'mocha@5.1.1'
$ zapier test

seems to work fine. I don't know enough about this package's Mocha consumption to know how reliable that single success is ;).

Answer 2 · 2018-05-14T22:46:12.000Z

This will be fixed by #320.

Answer 3 · 2018-05-14T22:46:16.000Z

closing as duplicate of #319

Answer 4 · 2018-05-14T22:46:46.000Z

#319 is about the core package. This issue is about this package.

Answer 5 · 2018-05-14T22:47:49.000Z

that's fair. Given that all 3 repos will be updated simultaneously, it seems like a single "npm audit returns a lot of issues" is the cleaner way to track. They all use mocha, so it's the same fix for each.