Product Research Enterprise Plans Docs

PyPi: Js-Mocha

CVE-2016-10540

Transitive

Safety vulnerability ID: 34500

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 31, 2018 Updated at Mar 22, 2023

Scan your Python projects for vulnerabilities →

Advisory

Js.mocha 2.2.5 (Fanstatic packaging of Mocha) has NPM dependencies with known vulnerabilities (glob).

Affected package

js-mocha

Latest version: 2.2.5

Fanstatic packaging of Mocha

Affected versions

Fixed versions

Vulnerability changelog

:boom: Breaking Changes

- :warning: Due to the increasing difficulty of applying security patches made within its dependency tree, as well as looming incompatibilities with Node.js v7.0, **Mocha no longer supports Node.js v0.8**.
- :warning: **Mocha may no longer be installed by versions of `npm` less than `1.4.0`.** Previously, this requirement only affected Mocha's development dependencies. In short, this allows Mocha to depend on packages which have dependencies fixed to major versions (`^`).
- `.only()` is no longer "fuzzy", can be used multiple times, and generally just works like you think it should. :joy:
- To avoid common bugs, when a test injects a callback function (suggesting asynchronous execution), calls it, *and* returns a `Promise`, Mocha will now throw an exception:

```js
const assert = require('assert');

it('should complete this test', function (done) {
return new Promise(function (resolve) {
assert.ok(true);
resolve();
})
.then(done);
});
```

The above test will fail with `Error: Resolution method is overspecified. Specify a callback *or* return a Promise; not both.`.
- When a test timeout value *greater than* `2147483648` is specified in any context (`--timeout`, `mocha.setup()`, per-suite, per-test, etc.), the timeout will be *disabled* and the test(s) will be allowed to run indefinitely. This is equivalent to specifying a timeout value of `0`. See [MDN](https://developer.mozilla.org/docs/Web/API/WindowTimers/setTimeoutMaximum_delay_value) for reasoning.
- The `dot` reporter now uses more visually distinctive characters when indicating "pending" and "failed" tests.
- Mocha no longer supports [component](https://www.npmjs.com/package/component).
- The long-forsaken `HTMLCov` and `JSONCov` reporters--and any relationship to the "node-jscoverage" project--have been removed.
- `spec` reporter now omits leading carriage returns (`\r`) in non-TTY environment.

:tada: Enhancements

- [808]: Allow regular-expression-like strings in `--grep` and browser's `grep` querystring; enables flags such as `i` for case-insensitive matches and `u` for unicode. ([a8m])
- [2000]: Use distinctive characters in `dot` reporter; `,` will denote a "pending" test and `!` will denote a "failing" test. ([elliottcable])
- [1632]: Throw a useful exception when a suite or test lacks a title. ([a8m])
- [1481]: Better `.only()` behavior. ([a8m])
- [2334]: Allow `this.skip()` in async tests and hooks. ([boneskull])
- [1320]: Throw a useful exception when test resolution method is overspecified. ([jugglinmike])
- [2364]: Support `--preserve-symlinks`. ([rosswarren])

:bug: Bug Fixes

- [2259]: Restore ES3 compatibility. Specifically, support an environment lacking `Date.prototype.toISOString()`, `JSON`, or has a non-standard implementation of `JSON`. ([ndhoule], [boneskull])
- [2286]: Fix `after()` failing to execute if test skipped using `this.skip()` in `beforeEach()`; no longer marks the entire suite as "pending". ([dasilvacontin], [boneskull])
- [2208]: Fix function name display in `markdown` and `html` (browser) reporters. ([ScottFreeCode])
- [2299]: Fix progress bar in `html` (browser) reporter. ([AviVahl])
- [2307]: Fix `doc` reporter crashing when test fails. ([jleyba])
- [2323]: Ensure browser entry point (`browser-entry.js`) is published to npm (for use with bundlers). ([boneskull])
- [2310]: Ensure custom reporter with an absolute path works in Windows. ([silentcloud])
- [2311]: Fix problem wherein calling `this.slow()` without a value would blast any previously set value. ([boneskull])
- [1813]: Ensure Mocha's own test suite will run in Windows. ([tswaters], [TimothyGu], [boneskull])
- [2317]: Ensure all interfaces are displayed in `--help` on CLI. ([ScottFreeCode])
- [1644]: Don't exhibit undefined behavior when calling `this.timeout()` with very large values ([callumacrae], [boneskull])
- [2361]: Don't truncate name of thrown anonymous exception. ([boneskull])
- [2367]: Fix invalid CSS. ([bensontrent])
- [2401]: Remove carriage return before each test line in spec reporter. ([Munter])

:nut_and_bolt: Other

- Upgrade production dependencies to address security advisories (and because now we can): `glob`, `commander`, `escape-string-regexp`,
and `supports-color`. ([boneskull], [RobLoach])
- Add Windows to CI. ([boneskull], [TimothyGu])
- Ensure appropriate `engines` field in `package.json`. ([shinnn], [boneskull])
- [2348]: Upgrade ESLint to v2 ([anthony-redfox])

We :heart: our [backers and sponsors](https://opencollective.com/mochajs)!

:shipit:

[2401]: https://github.com/mochajs/mocha/pull/2401
[2348]: https://github.com/mochajs/mocha/issues/2348
[808]: https://github.com/mochajs/mocha/issues/808
[2361]: https://github.com/mochajs/mocha/pull/2361
[2367]: https://github.com/mochajs/mocha/pull/2367
[2364]: https://github.com/mochajs/mocha/pull/2364
[1320]: https://github.com/mochajs/mocha/pull/1320
[2307]: https://github.com/mochajs/mocha/pull/2307
[2259]: https://github.com/mochajs/mocha/pull/2259
[2208]: https://github.com/mochajs/mocha/pull/2208
[2299]: https://github.com/mochajs/mocha/pull/2299
[2286]: https://github.com/mochajs/mocha/issues/2286
[1644]: https://github.com/mochajs/mocha/issues/1644
[2310]: https://github.com/mochajs/mocha/issues/2310
[2311]: https://github.com/mochajs/mocha/issues/2311
[2323]: https://github.com/mochajs/mocha/issues/2323
[2000]: https://github.com/mochajs/mocha/pull/2000
[1632]: https://github.com/mochajs/mocha/issues/1632
[1813]: https://github.com/mochajs/mocha/issues/1813
[2334]: https://github.com/mochajs/mocha/issues/2334
[2317]: https://github.com/mochajs/mocha/issues/2317
[1481]: https://github.com/mochajs/mocha/issues/1481
[elliottcable]: https://github.com/elliottcable
[RobLoach]: https://github.com/robloach
[AviVahl]: https://github.com/avivahl
[silentcloud]: https://github.com/silentcloud
[tswaters]: https://github.com/tswaters
[jleyba]: https://github.com/jleyba
[TimothyGu]: https://github.com/timothygu
[callumacrae]: https://github.com/callumacrae
[shinnn]: https://github.com/shinnn
[bensontrent]: https://github.com/bensontrent
[jugglinmike]: https://github.com/jugglinmike
[rosswarren]: https://github.com/rosswarren
[anthony-redfox]: https://github.com/anthony-redfox
[Munter]: https://github.com/munter

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10540

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL