mocha 6.2.3 minimatch fixed version causing security scans to fail

[agustingabiola]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). Fixed version of minimatch (3.0.4) for mocha version 6.2.3 is causing cloud computing scans to fail.

In the past I've seen doing some upgrade for security reasons to older major versions so I wanted to know if I need to upgrade this service that is in maintenance mode or not. Thanks a lot in advance :)

Steps to Reproduce

N/A

Expected behavior: Security scans don't fail.

Actual behavior: N/A

Reproduces how often: 100%

Versions

• The output of mocha --version and node_modules/.bin/mocha --version: 6.2.3

[juergba]

@agustingabiola no, Mocha v6.2.3 won't be updated, see also #4759.

[agustingabiola]

@juergba Thanks for the swift response. Yes, makes total sense and I already pushed for not including dev deps in the scan but they only look at the lock file apparently 🤷🏼 . Have a great day :)