CodeceptJS v3.4.0 uses a vulnerable version of minimatch and nanoid

[lbosap]

What are you trying to achieve?

npm audit

What do you get instead?

Vulnerable version of minimatch and nanoid.

Provide console output if related. Use --verbose mode for more details.

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install codeceptjs@2.2.1, which is a breaking change
node_modules/codeceptjs/node_modules/minimatch
  mocha  5.1.0 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of nanoid
  node_modules/codeceptjs/node_modules/mocha
    codeceptjs  >=2.3.0
    Depends on vulnerable versions of mocha
    node_modules/codeceptjs

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install codeceptjs@2.2.1, which is a breaking change
node_modules/codeceptjs/node_modules/nanoid

Details

• CodeceptJS version: 3.4.0
• NodeJS Version: 18.13.0
• Operating System: Windows 10
• related to CodeceptJS v3.3.7 uses a vulnerable version of flat and minimatch #3569

[DavertMik]

to be honest, I don't understand that kind of vulnerability...
you NEVER deploy codeceptjs to production
you run it mostly on CI environments

what can a scan for vulnerabilities reveal?

but sure I will update deps in a next version

[patrickromo1]

to be honest, I don't understand that kind of vulnerability... you NEVER deploy codeceptjs to production you run it mostly on CI environments

what can a scan for vulnerabilities reveal?

but sure I will update deps in a next version

Security teams not being able to distinguish between deployable production code vs test code and wanting to get the dependabot alerts to 0.