Skip to content

STOP-5391 : Update mocha version to resolve critical vulnerability#4

Merged
SB-ChetanKorde merged 6 commits intomasterfrom
fix-critical-vulnerabilities
Mar 27, 2026
Merged

STOP-5391 : Update mocha version to resolve critical vulnerability#4
SB-ChetanKorde merged 6 commits intomasterfrom
fix-critical-vulnerabilities

Conversation

@SB-ChetanKorde
Copy link
Copy Markdown

@SB-ChetanKorde SB-ChetanKorde commented Mar 4, 2026
edited
Loading

Motivation and Context

We have critical vulnerability to resolve from this repo.
image

How Has This Been Tested?

  1. Run npm test command successfully
  2. Run npm lint successfully

Screenshot(s)/recordings(s)

image image

Types of changes

Change in Package.json and package-lock.json file, upgrade package versions.
Update package patch version for this repo

@SB-ChetanKorde
fix: resolve critical vulnerabilities except node 18 incompatible ser…
39fddba 
…ialize-javascript

- Fixed diff DoS vulnerability via npm overrides (pinned to 5.2.1)
- Updated all dependencies to latest secure versions
- All 148 tests passing with 99.85% code coverage
- Documented unavoidable serialize-javascript@7.0.2 RCE vulnerability that requires Node 20+
- Added SECURITY.md with vulnerability management policy
- Production builds unaffected (mocha is dev-only dependency)
@SB-ChetanKorde
chore: update package version
93d9071
@SB-ChetanKorde
fix: added support for node engine 24
794ea61
@SB-ChetanKorde
fix: resolve vulnerabilities with npm audit and update dependencies
cb22db3 
- Ran npm audit fix to address identified security issues
- Updated dependencies to secure versions
- All 148 tests passing with maintained code coverage
- Remaining 2 high-severity vulnerabilities documented in SECURITY.md
  (serialize-javascript and diff require Node 20+ for full patching)
- Production builds remain unaffected (mocha is dev-only dependency)
@SB-ChetanKorde
chore: update engine support till 24.14.0
fd5467f
@SB-ChetanKorde
fix: resolve all npm vulnerabilities for node 20 and 24
f71a473 
- Added npm overrides for vulnerable transitive dependencies
- Updated diff to 8.0.4 (fixes DoS vulnerability)
- Updated serialize-javascript to 7.0.4 (fixes RCE vulnerability)
- Updated brace-expansion to 5.0.5 (fixes ReDoS)
- Updated minimatch to 9.0.9 (fixes ReDoS variants)
- Zero vulnerabilities detected by npm audit
- All 148 tests passing with 99.85% code coverage
- Supports Node 14-24 with full security patching on Node 20+
pareshb3089
pareshb3089 approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@pareshb3089 pareshb3089 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

@SB-ChetanKorde SB-ChetanKorde merged commit 05fb88e into master Mar 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pareshb3089 pareshb3089 pareshb3089 approved these changes

@bhaskarsontakke bhaskarsontakke Awaiting requested review from bhaskarsontakke

@prafullaAtSB prafullaAtSB Awaiting requested review from prafullaAtSB

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SB-ChetanKorde @pareshb3089