Vue-cli: Bump jest version in @vue/cli-plugin-unit-jest

Beside the new options, the current jest ^23.6.0 transitively depends on braces ^1.8.2 through micromatch ^2.3.11.

This causes the vue-projects that use the current @vue/cli-plugin-unit-jest to have 63 low severity vulnerabilities because of https://www.npmjs.com/advisories/786.

Similar to #3257 but it is nightwatch there.

is there any workaround yet?

According to: facebook/jest#6743

Unless you're using micromatch to generate passwords or API tokens, I think it's safe to say that this is unlikely to actually be a concern

You should be able to use v23.6.0 in the meantime - of course, that's only if you aren't taking advantage of v24 already.

Any news? Are there any blockers to do so? It's been a while..

I've been successful with yarn resolutions adding the following to package.json

  "resolutions": {
    "@vue/cli-plugin-unit-jest/jest": "^24.6.0",
    "@vue/cli-plugin-unit-jest/babel-jest": "^24.6.0"
  },

It seems it is fixed in 4-alpha, but not in 3.8.2 yet. Could it be bumped in v3 branch as well? Getting one vulnerability message repeated 63 times for just a dev dependency, even if it is just low, is pretty disturbing..

We can't. Because it's a breaking change.