fix(vulnerabilty): switch tiny dependency and use same code

[deleonio]

Requirements

See #4332

The problem is the maintainment of two dependencies.
Main impact comes from lodash.
Second impact is the missing update from yargs-unparser.

Description of the Change

The current master code of yargs-unparser is okay. So I forked it an publish this code as npm packge named @care-for/yargs-unparser.

An replace yargs-unparser with @care-for/yargs-unparser in the package.json of mocha.

Alternate Designs

Why should this be in core?

Benefits

Zero vulnerabilities

Possible Drawbacks

Applicable issues

[coveralls]

Coverage increased (+0.03%) to 93.795% when pulling a04fdea on martinoppitz:fix/vulnerability-issue-4332 into 9d4a8ec on mochajs:master.

[deleonio]

Hello, I dont know, whats going wrong.

-- netlify/mocha/deploy-preview

[juergba]

@martinoppitz thank you.
IMO this is not a good solution:

• see comment: Mocha => Yargs-unparser is not affected by this vulnerability.
• publishing our own versions of dependencies is not a good option, for maintainance reasons and especially for an unjustified security warning.

I don't see any need for action in this matter and recommend to close this PR.

[deleonio]

@juergba

Yes, this solution is not the best.

But how we will solve the lodash blocker?!

[Munter]

It's not a blocker. The problem is not in mocha but in your local tooling. Don't block on non-curated false positive security audits

[deleonio]

@Munter

Sorry, thats not right. See here https://snyk.io/test/npm/mocha?tab=dependencies.

The problem is to fix the lodash vulnerability, because lodash is not maintained.

So I tried to fix yargs-unparser ... I hope anybody publish a new version.

[Munter]

@martinoppitz You did obviously not read @boneskull's reponse at #4332 (comment) properly.

There is a security vulnerability in lodash, but yargs-unparser is not using the vulnerable function. This means the vulnerability does actually not affect yargs-unparser and mocha.

Now, if you want to talk about security, asking us to switch our yargs-unparser dependency to a random fork that could very easily be compromised in other ways. Which does not have a history of active maintenance or a record of keeping up to date... That's a hard no.

This is a case of automated security checks causing false positives and resulting in generating more work for open source maintainers. You have now had 3 maintainers spend their time, not only on reviewing the security audit and follow the code path to conclude there's nothing we can do, but also on having to explain the same thing to you multiple times.

The problem that is blocking you is your CI configuration. Configure your CI differently.

I'm going to close these PR's

[deleonio]

Hi @Munter ,

I have read the description from @boneskull - read for yourself: #4332 (comment)

And I would not discuss about security. I will say, that mocha depends on:

• yargs-unparser@1.6.0 and this published package depends on
• lodash@4.7.15

and both probably not maintained.

I tried my best to explain the vulnerability problem.