Skip to content

Remove chai + mocha from dependencies
Compare
Choose a tag to compare
@andygout andygout released this 04 Dec 11:58
v6.0.4
fefa00e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

mocha and chai are now included as devDeepndencies rather than dependencies.

The versions being used were reported by Snyk as allowing a Prototype Pollution vulnerability. Although any consuming apps very unlikely to utilise chai or mocha in a way that would include it as production code (in fact this would probably be very hard to achieve), this new release has been issued so as to make clear the intent that given the knowledge of these vulnerabilities, these libraries should in no way be considered dependencies.

Assets 2
Loading