Skip to content

🐛 Bug: Bump serialize-javascript from 6.0.0 to 6.0.2 #5109

New issue
New issue
Closed
#5153
Closed
🐛 Bug: Bump serialize-javascript from 6.0.0 to 6.0.2#5109
#5153
Assignees
JoshuaKGoldberg
Labels
status: accepting prsMocha can use your help with this one!type: buga defect, confirmed by a maintainer
@JesKingDev

Description

@JesKingDev
JesKingDev
opened on Feb 29, 2024

Bug Report Checklist

  • I have read and agree to Mocha's Code of Conduct and Contributing Guidelines
  • I have searched for related issues and issues with the faq label, but none matched my issue.
  • I have 'smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, my usage of Mocha, or Mocha itself.
  • I want to provide a PR to resolve this

Expected

Adding a dependency to the Mocha package should not introduce security vulnerabilities.

Actual

If your project uses Snyk to protect against security vulnerabilities, the Mocha dependency is flagged as problematic due to an explicit lock on serialize-javascript 6.0.0

https://security.snyk.io/package/npm/serialize-javascript

Minimal, Reproducible Example

Refer to https://security.snyk.io/package/npm/serialize-javascript for the vulnerable versions of this package.

Versions

From package-lock.json

"node_modules/mocha": {
      "version": "10.0.0",

I checked the latest Mocha package-lock.json though, and the serialize-javascript version is still at 6.0.0.

Additional Info

No response

Metadata

Metadata

Assignees

Labels

status: accepting prsMocha can use your help with this one!type: buga defect, confirmed by a maintainer

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions