Mocha: js-yaml needs to be updated (and should have a range version)

Created on 16 Apr 2019 · 7Comments · Source: mochajs/mocha

Description

js-yaml has a new security vulnerability: https://www.npmjs.com/advisories/813

For some reason, a specific version (3.13.0) is being specified in package.json. Why isn't this a range?

Steps to Reproduce

Install the latest version of mocha, then run yarn audit.

Expected behavior:
No vulnerabilities found.

Actual behavior:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > js-yaml                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Versions

mocha 6.1.3

security semver-patch

Source

kaiyoma

👍38

Most helpful comment

Do you have any idea on when the PR will get merged? Our team is very eager for this security fix :)

anastasia-b on 16 Apr 2019

👍10

All 7 comments

This is giving me a sev:high security alert when I run npm audit :(

soatok on 16 Apr 2019

👍10

Someone is being really active at npm, going through js-yaml with a fine tooth comb. The last issue was reported in less than a month: https://www.npmjs.com/advisories/788

meszaros-lajos-gyorgy on 16 Apr 2019

😄1

Same warning here, npm audit --force fix wasn't fixing it.

I had to update the package.json of mocha manually with:

"js-yaml": "3.13.1"

fsinisi90 on 16 Apr 2019

Do you have any idea on when the PR will get merged? Our team is very eager for this security fix :)

anastasia-b on 16 Apr 2019

👍10

Out of curiosity, what is the rationale behind pinning exact dependency versions in package.json (@plroebuck)? Why not at least use the tilde operator, so npm audit can fix issues like this one without having to wait for the next mocha release? Did a quick search in this repo and the maintainers doc but couldn't find any explanation.