Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mocha dependency #758

Closed
wants to merge 1 commit into from
Closed

Update mocha dependency #758

wants to merge 1 commit into from

Conversation

jtakalai
Copy link
Contributor

@jtakalai jtakalai commented Sep 29, 2022
edited
Loading

This fixes the deprecated fsevents transitive dependency.

When I do an npm install in my own project, I get:

npm WARN deprecated [email protected]: "Please update to latest v2.3 or v2.2"

And further investigating with npm ls fsevents:

│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]

After bumping mocha to the latest, I see that chokidar is also 3.5.3 and it has [email protected], so all good.

Thanks for maintaining this great coverage tool!

@jtakalai
Update mocha dependency
970a89f 
This fixes the deprecated `fsevents` transitive dependency
@codecov-commenter
Copy link

Codecov Report

Base: 95.90% // Head: 95.90% // No change to project coverage 👍

Coverage data is based on head (970a89f) compared to base (8d49be0).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #758   +/-   ##
=======================================
  Coverage   95.90%   95.90%           
=======================================
  Files          19       19           
  Lines        1050     1050           
=======================================
  Hits         1007     1007           
  Misses         43       43

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@jtakalai jtakalai mentioned this pull request Sep 29, 2022
Merged
@alannotnerd
Copy link

Nice job!

@markus0x1 markus0x1 mentioned this pull request Nov 9, 2022
Closed
@dbmikus
Copy link

dbmikus commented Nov 23, 2022

Is there a reason that Mocha cannot be a peer dependency?

@leric7
Copy link

leric7 commented Feb 3, 2023

Why don't we merge this PR?

@CJ42
Copy link

CJ42 commented Apr 20, 2023
edited
Loading

@cgewecke
This PR should really be merged.

This old version of Mocha (7.1.2) uses an old version of the minimatch package that contains a Regular Expression Denial of Service (ReDoS) vulnerability.

Considering Solidity coverage is included as a dependency in hardhat-toolbox, this might affect many projects that use Hardhat.

https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
GHSA-f8q6-p94x-37v3

Flagged by the dependabot of the ERC725 smart contracts repository

@CJ42 CJ42 mentioned this pull request Apr 20, 2023
Merged
5 tasks
@cgewecke
Copy link
Member

Sorry, done in #810

@cgewecke cgewecke closed this Sep 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jtakalai @codecov-commenter @alannotnerd @dbmikus @leric7 @CJ42 @cgewecke