Security update for Mocha v3.5.3 #3792
Labels
status: wontfix
typically a feature which won't be added, or a "bug" which is actually intended behavior
Comments
boneskull
added
the
status: wontfix
|
@nickkolok Why do you need to use Mocha v3.5.3? While we may support LTS releases in the not-too-distant future, the v3 major is too old to be on our radar. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Mocha v3.5.3 is recognized as insecure by
npm audit.I've turned out that updating
debugdependence from2.6.8to2.6.9removes some vulnerabilities.The appropriate patch is here: https://github.com/nickkolok/mocha/tree/v3.5.3-security-fixes
If
growl 1.9.3will be uploaded to NPM, then we can try to update it, too (see tj/node-growl#81). You cannot use 1.10.* instead.All the other found vulnerabilities are in dev dependencies.
I know that there is no official LTS support, but I believe that simple publishing a fixed package as
3.5.4is a good first step to it. Everything is ready, just test (one more time!) and publish.The text was updated successfully, but these errors were encountered: