Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update mocha dependency #758

Closed
wants to merge 1 commit into from
Closed

Update mocha dependency #758

wants to merge 1 commit into from

Conversation

jtakalai
Copy link
Contributor

@jtakalai jtakalai commented Sep 29, 2022
edited
Loading

This fixes the deprecated fsevents transitive dependency.

When I do an npm install in my own project, I get:

npm WARN deprecated fsevents@2.1.3: "Please update to latest v2.3 or v2.2"

And further investigating with npm ls fsevents:

│ └─┬ solidity-coverage@0.8.2
│   └─┬ mocha@7.1.2
│     └─┬ chokidar@3.3.0
│       └── fsevents@2.1.3

After bumping mocha to the latest, I see that chokidar is also 3.5.3 and it has fsevents@2.3.2, so all good.

Thanks for maintaining this great coverage tool!

@jtakalai
Update mocha dependency
970a89f 
This fixes the deprecated `fsevents` transitive dependency
@codecov-commenter
Copy link

Codecov Report

Base: 95.90% // Head: 95.90% // No change to project coverage 👍

Coverage data is based on head (970a89f) compared to base (8d49be0).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #758   +/-   ##
=======================================
  Coverage   95.90%   95.90%           
=======================================
  Files          19       19           
  Lines        1050     1050           
=======================================
  Hits         1007     1007           
  Misses         43       43

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@jtakalai jtakalai mentioned this pull request Sep 29, 2022
Merged
@alannotnerd
Copy link

Nice job!

@markus0x1 markus0x1 mentioned this pull request Nov 9, 2022
Closed
@dbmikus
Copy link

dbmikus commented Nov 23, 2022

Is there a reason that Mocha cannot be a peer dependency?

@leric7
Copy link

leric7 commented Feb 3, 2023

Why don't we merge this PR?

@CJ42
Copy link

CJ42 commented Apr 20, 2023
edited
Loading

@cgewecke
This PR should really be merged.

This old version of Mocha (7.1.2) uses an old version of the minimatch package that contains a Regular Expression Denial of Service (ReDoS) vulnerability.

Considering Solidity coverage is included as a dependency in hardhat-toolbox, this might affect many projects that use Hardhat.

https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
GHSA-f8q6-p94x-37v3

Flagged by the dependabot of the ERC725 smart contracts repository

@CJ42 CJ42 mentioned this pull request Apr 20, 2023
Merged
5 tasks
@cgewecke
Copy link
Member

Sorry, done in #810

@cgewecke cgewecke closed this Sep 21, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jtakalai @codecov-commenter @alannotnerd @dbmikus @leric7 @CJ42 @cgewecke