use custom glob; closes #2318 #2325
Conversation
|
Without this, I believe |
|
Would appreciate another set of eyes on this to ensure I'm not totally out-of-bounds. cc @mochajs/core |
boneskull
added
High priority
status: waiting for author
|
I haven't reviewed the change itself, but I want to raise a question: Would it be a backwards-incompatible change to Mocha (e.g. due to relevant changes to the behavior of globbing as used by/with Mocha) to fork the latest version of Glob/Minimatch/anything-else-we-have-to and just change the carets? (On the other hand, this might not be scalable -- if for instance the earliest version of library X required by the latest Minimatch has carets in its own dependencies then we also have to fork X to take out the carets... and there may be multiple "X"s in this case?) If it worked, the advantage would be that we can try to keep the forks tracking the current version and getting other fixes relatively easily that way. In any case, we should start keeping a list of things we want to change in 3.x-not-a-total-rewrite if we hit the point where we can drop Node 0.8 before we hit the point where the rewrite is a viable replacement; updating to a new, non-forked Glob/Minimatch along with following the Pug renaming can both go on it for starters... |
|
I think I want to scrap this idea and just release a major. |
boneskull
removed
the
status: waiting for author
This addresses the security advisory in a non-breaking manner. It upgrades
minimatchto1.0.0, basically--but from what I can tell, the only meaningful change from0.3.0was a feature to support number padding in brace expansion.Generally speaking, what we're doing here should be avoided (forking old versions of modules and re-publishing them under new names). Doing so could potentially expose us to security issues down the road--if an issue is detected in
minimatchorgloband subsequently fixed, we will have to manually backport the fix--assuming we even know about any issue!I could go either way here; I can't conceive of a manner in which it would affect users of Mocha via usage of
mochaitself. This issue does not affect Mocha in the browser.See the forked/renamed modules glob-mocha and minimatch-mocha, the latter of which contains a backport for the advisory fix.
cc @ScottFreeCode