Conversation
…ulnerabilities (serialize-javascript, diff, ajv)
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Mocha testing framework from 10.x to 11.x and addresses known security vulnerabilities in dev dependencies (serialize-javascript, diff, ajv) by upgrading them and adding npm overrides.
Changes:
package.json: Updatedmochato11.x, replaced the emptydependencies: {}with anoverridessection that forcesserialize-javascriptto7.xanddiffto8.xpackage-lock.json: Updated lock entries for mocha (10 → 11) and all transitive dependencies (chokidar 3→4, glob 8→10, workerpool 6→9, yargs 16→17, diff 5→8, serialize-javascript 6→7, ajv 6.12.6→6.14.0, etc.)CHANGES.md: Added a changelog entry for version 14.1.2
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Upgrades mocha devDependency to 11.x; adds overrides for serialize-javascript and diff to address security alerts |
| package-lock.json | Updated lock file reflecting mocha 11 and all cascading transitive dependency upgrades |
| CHANGES.md | New changelog entry for 14.1.2 with description of security dependency fixes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
package.json
Outdated
| "license": "MIT", | ||
| "dependencies": {} | ||
| "overrides": { | ||
| "serialize-javascript": "7.x", |
There was a problem hiding this comment.
The serialize-javascript override forces version 7.x (installed as 7.0.4), which declares "node": ">=20.0.0" as its engine requirement. However, mocha 11 itself declares "serialize-javascript": "^6.0.2" and mocha's own engine range is ^18.18.0 || ^20.9.0 || >=21.1.0. This means the CI builds for Node 16.x and 18.x will fail not only due to mocha's incompatibility but also due to serialize-javascript 7.x's hard >=20.0.0 requirement. The serialize-javascript override may be unnecessary since serialize-javascript 6.0.2 (what mocha 11 resolves to) does not have the same vulnerability, and the upgrade to mocha 11 already pulls in a patched version.
| "serialize-javascript": "7.x", |
| "devDependencies": { | ||
| "eslint": "8.x", | ||
| "mocha": "10.x", | ||
| "mocha": "11.x", |
There was a problem hiding this comment.
Mocha 11 requires Node.js ^18.18.0 || ^20.9.0 || >=21.1.0, but the project's engines field and CI matrix still include Node 16.x. Additionally, serialize-javascript 7.x (forced via the overrides field) requires node >= 20.0.0, meaning builds on Node 16.x and on Node 18.x versions below 18.18.0 will fail. The CI workflow in .github/workflows/node-test.js.yml tests against [16.x, 18.x, 20.x, 22.x, 24.x], so these failures would be encountered immediately in CI.
If the intent is to drop Node 16 support, the engines field in package.json and the CI matrix should be updated accordingly. If Node 16 and 18 support must be retained, mocha 11 cannot be used as-is.
package.json
Outdated
| "serialize-javascript": "7.x", | ||
| "diff": "8.x" |
There was a problem hiding this comment.
The overrides section forces diff to 8.x, but mocha 11 declares "diff": "^7.0.0" as its dependency. The npm overrides mechanism will force-install [email protected] even though it falls outside mocha's declared semver range. If diff 8.x introduced any breaking API changes compared to diff 7.x (which it does — for example, diff 8.x dropped CJS support and is ESM-only), this will cause mocha's internal usage of diff to break at runtime. This override may be unnecessary since the diff vulnerability can be addressed by ensuring mocha 11 itself pulls in diff 7.0.0 (which is already patched), and the override can be removed.
| "serialize-javascript": "7.x", | |
| "diff": "8.x" | |
| "serialize-javascript": "7.x" |
Upgrade mocha from 10.x to 11.x and fix all dev dependency security vulnerabilities (serialize-javascript, diff, ajv)