fix: xss vulnerability in mocha

[shumkov]

Issue being fixed or feature implemented

serialize-javascript
   ├─ ID: 1102339
   ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
   ├─ URL: https://github.com/advisories/GHSA-76p7-773f-r4q5
   ├─ Severity: moderate
   ├─ Vulnerable Versions: <6.0.2
   │ 
   ├─ Tree Versions
   │  └─ 6.0.0
   │ 
   └─ Dependents
      └─ mocha@npm:10.2.0

What was done?

• Updated mocha

How Has This Been Tested?

Running audit

Breaking Changes

None

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• Chores
  • Upgraded multiple dependency versions across the platform, notably advancing the testing framework to version 11.1.0.
  • Updated supporting utility packages and streamlined package configurations by removing deprecated entries.
  • Adjustments ensure improved performance and compatibility with current library standards.

[coderabbitai]

Walkthrough

This pull request updates the version numbers of the Mocha testing framework and several related dependencies across various configuration and package files. The update changes Mocha from version 10.2.0 to 11.1.0, with additional modifications in other packages such as debug, diff, terser, minimatch, yargs, and yargs-parser. The changes are applied consistently in files like .pnp.cjs, .yarnrc.yml, and multiple package.json files. Minor updates in the Yarn configuration also adjust the dependency version for karma-mocha.

Changes

File(s)	Change Summary
.pnp.cjs	Updated dependency versions: Mocha (10.2.0 → 11.1.0), Debug (virtual ref updated), Diff (5.0.0 → 5.2.0), Terser (5.14.2 → 5.31.6), Minimatch (4.2.1 → 5.1.6), Yargs (16.2.0 → 17.7.2), Yargs-parser (20.2.4 → 21.1.1).
.yarnrc.yml	Upgraded karma-mocha dependency in packageExtensions: Mocha (^9.1.2 → ^11.1.0).
packages/{bench-suite, dapi-grpc, dapi, dash-spv, dashmate, dashpay-contract, dpns-contract, feature-flags-contract, js-dapi-client, masternode-reward-shares-contract, platform-test-suite, search-contract, token-history-contract, wallet-lib, wallet-utils-contract, wasm-dpp, withdrawals-contract}/package.json	Updated Mocha dependency across various packages (from ^10.2.0 to ^11.1.0) in dependencies or devDependencies.
packages/js-dash-sdk/package.json	Updated Mocha (from ^10.2.0 to ^11.1.0) and Terser-webpack-plugin (from ^5.3.1 to ^5.3.11).

Possibly Related PRs

• chore(release): update changelog and version to 1.6.0 #2360: Updates Mocha versions across multiple package configuration files.
• chore(release): update change log and release v1.8.0 #2427: Involves upgrading the Mocha dependency from ^10.2.0 to ^11.1.0 across several packages.
• chore(release): update changelog and bump version to 1.8.0-rc.1 #2423: Also focuses on updating the Mocha dependency in various package.json files.

Suggested Reviewers

• QuantumExplorer
• lklimek

Poem

I'm a little bunny, hopping in code's delight,
Upgraded dependencies make my heart feel light.
Mocha now shines in a vibrant new hue,
With each update, fresh tests come into view.
In a garden of code, I nuzzle and play—
Hop on, let's celebrate this bright new day! 🐰

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ddf4e67 and d297eb7.

⛔ Files ignored due to path filters (30)

• .yarn/cache/@jridgewell-source-map-npm-0.3.2-6fd1f37b22-1aaa42075b.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/@ungap-promise-all-settled-npm-1.1.2-c0f42e147b-ee8fe811be.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/ansi-colors-npm-4.1.3-8ffd0ae6c7-43d6e2fc7b.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/chokidar-npm-3.6.0-3c413a828f-c327fb0770.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/cliui-npm-8.0.1-3b029092cf-eaa5561aeb.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/debug-npm-4.3.3-710fd4cc7f-723a9570dc.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/diff-npm-5.0.0-ad6900db18-4a179a75b1.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/diff-npm-5.2.0-f523a581f3-01b7b440f8.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/glob-npm-7.2.0-bb4644d239-bc78b6ea07.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/growl-npm-1.10.5-2d1da54198-1391a9add9.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/minimatch-npm-4.2.1-558ec7f418-27e49fb720.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/minimatch-npm-5.0.1-612724f6f0-2656580f18.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/mocha-npm-10.2.0-87db25c7c5-f7362898ae.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/mocha-npm-11.1.0-7c863baca0-50d1305813.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/mocha-npm-9.2.2-f7735febb8-8ee58bff86.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/nanoid-npm-3.3.8-d22226208b-2d1766606c.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/schema-utils-npm-4.3.0-6f0a75e2e2-86c5a7c72a.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/serialize-javascript-npm-6.0.0-0bb8a3c88d-ed3dabfbb5.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/terser-npm-5.14.2-b0f8815852-0646b5db1d.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/terser-npm-5.39.0-127c67156d-d84aff6423.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/terser-webpack-plugin-npm-5.3.11-1a5bba0883-a8f7c92c75.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/terser-webpack-plugin-npm-5.3.3-659a8e4514-db2bc0e570.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/workerpool-npm-6.2.0-d2a722f6bb-c7dce6eae0.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/workerpool-npm-6.2.1-1486cb2056-3e637f7632.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/workerpool-npm-6.5.1-7e0dd85ca7-b1b00139fe.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/yargs-npm-17.7.2-80b62638e1-abb3e37678.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/yargs-parser-npm-20.2.4-1de20916a6-db8f251ae4.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/yargs-parser-npm-21.1.1-8fdc003314-9dc2c217ea.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (21)

• .pnp.cjs (39 hunks)
• .yarnrc.yml (1 hunks)
• packages/bench-suite/package.json (1 hunks)
• packages/dapi-grpc/package.json (1 hunks)
• packages/dapi/package.json (1 hunks)
• packages/dash-spv/package.json (1 hunks)
• packages/dashmate/package.json (1 hunks)
• packages/dashpay-contract/package.json (1 hunks)
• packages/dpns-contract/package.json (1 hunks)
• packages/feature-flags-contract/package.json (1 hunks)
• packages/js-dapi-client/package.json (1 hunks)
• packages/js-dash-sdk/package.json (2 hunks)
• packages/js-grpc-common/package.json (1 hunks)
• packages/masternode-reward-shares-contract/package.json (1 hunks)
• packages/platform-test-suite/package.json (1 hunks)
• packages/search-contract/package.json (1 hunks)
• packages/token-history-contract/package.json (1 hunks)
• packages/wallet-lib/package.json (1 hunks)
• packages/wallet-utils-contract/package.json (1 hunks)
• packages/wasm-dpp/package.json (1 hunks)
• packages/withdrawals-contract/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• packages/feature-flags-contract/package.json
• packages/js-grpc-common/package.json
• packages/token-history-contract/package.json

🔇 Additional comments (56)

.pnp.cjs (38)

2574-2580: Mocha Upgrade Verification
The dependency for Mocha is updated to "npm:11.1.0", which is a key part of this PR to help mitigate the XSS vulnerability (via transitively updating serialize-javascript). Please double-check that all dependent modules are compatible with this new version.

---

2622-2628: Consistent Mocha Version Update
Mocha is consistently updated to "npm:11.1.0" in this section. Verify that no residual references to the old version remain and that version resolution is handled correctly by Yarn.

---

2673-2679: Mocha Dependency Consistency Check
The Mocha dependency here has also been updated to "npm:11.1.0". Confirm that this uniform update avoids any version conflicts.

---

2712-2718: Mocha Update in Reporter Section
The updated Mocha version "npm:11.1.0" is applied in this block. Ensure that testing frameworks and reporters referencing Mocha are adjusted accordingly.

---

2743-2749: Mocha Version Correctness Check
This hunk shows another instance of Mocha being updated to "npm:11.1.0". The change is consistent; just verify that any build or test scripts invoking Mocha use this version.

---

2814-2820: Mocha Version Consistency
Mocha is updated to "npm:11.1.0" here as well. Please ensure that the Yarn resolution strategy selects the correct version across the repository.

---

2856-2862: Mocha Dependency Update Check
The update to "npm:11.1.0" for Mocha in this segment appears correct. It’s important that tests pick up the upgraded version without breaking changes.

---

2874-2880: Mocha Dependency Verification
Mocha is again updated to "npm:11.1.0". Confirm that integration with other tools (e.g., Karma) is unaffected by this version bump.

---

2898-2904: Mocha Update for Consistency
The dependency update to "npm:11.1.0" is consistently applied in this range. No issues detected.

---

2919-2925: Mocha Dependency Version Check
Once more, Mocha is updated to "npm:11.1.0". It is essential to ensure that package-lock (or equivalent) files reflect this change correctly.

---

2984-2990: Mocha Update in Testing Environment
The version update to Mocha "npm:11.1.0" is applied here. Please verify that tests and scripts invoking Mocha do not rely on features deprecated in this version.

---

3048-3054: Mocha Dependency Version Steady
The dependency remains updated to "npm:11.1.0". Consistency in updates like these is key for avoiding subtle bugs.

---

3090-3096: Mocha Version Update Verified
Another instance of Mocha being bumped to "npm:11.1.0"; this is in line with the overall update objective.

---

3125-3131: Mocha Dependency Consistency
Mocha is updated to "npm:11.1.0" in this block as well. Verify that no downstream configuration depends on the old major version.

---

3173-3179: Mocha Update Checkpoint
The update to "npm:11.1.0" is reasserted here. It’s important that any breaking changes introduced between Mocha versions are properly tested.

---

3204-3210: Mocha Version Update Consistency
The Mocha dependency is updated to "npm:11.1.0". Confirm that all scripts and configuration files reference the updated version.

---

3917-3923: Debug Dependency Update
The debug package’s virtual reference is updated to use "npm:4.3.4". Verify that this change is compatible with any modules relying on debug functionality.

---

3951-3957: Debug Dependency Consistency
Again, the debug package is updated to "npm:4.3.4". This consistency should help avoid conflicts between direct and transitive dependencies.

---

3986-3992: Debug Version Update Verification
The second update for debug to "npm:4.3.4" confirms consistency. This should streamline debugging capabilities across the project.

---

6064-6074: Ansi-Colors Version Update
The ansi-colors package appears to have been updated from "npm:4.1.1" to "npm:4.1.3". Ensure that both the soft and hard link entries use the correct version to avoid runtime discrepancies.

---

7519-7538: Chokidar Dependency Update
This hunk updates the chokidar package details along with its supporting dependencies. Verify that file-watching functionality works as expected after these updates.

---

7722-7736: CLIUI and Wrap-Ansi Updates
The updates here address new versions for packages such as cliui and wrap-ansi. Please confirm that these changes do not affect CLI output formatting or other related features.

---

8561-8567: Mocha Version Enforcement
Once again, Mocha is updated to "npm:11.1.0". Verify that the dependency graph is consistent and that no legacy references persist.

---

8574-8580: Terser-Webpack-Plugin Version Update
The update to terser-webpack-plugin to "npm:5.3.11" is applied here. Ensure that the webpack build and asset bundling are working correctly after this bump.

---

8634-8640: Consistent Mocha Dependency Update
The Mocha dependency is updated once more to "npm:11.1.0", maintaining consistency throughout the file.

---

8709-8735: Debug Dependency and Virtual Package Update
This hunk revises the virtual package information for debug and updates its version to "npm:4.4.0". Double-check that all modules referencing debug resolve to the intended version.

---

8786-8796: Consistent Debug Dependency Updates
The virtual reference for debug is confirmed updated here. Good consistency across the changes.

---

9062-9078: Diff Package Version Bump
The diff package version is bumped from "npm:5.1.0" to "npm:5.2.0". This minor update should improve functionality without breaking dependent modules.

---

12964-12970: Mocha Version Update Consistency
Mocha is updated to "npm:11.1.0" again in this block. Maintain vigilance regarding version compatibility across all sub-packages.

---

14317-14323: Mocha Dependency Confirmation
Another occurrence of the Mocha update to "npm:11.1.0" confirms thorough coverage of this change. Continue to monitor that all sub-systems reference the correct version.

---

17008-17023: Schema-Utils and AJV Keywords Update
The updates to schema-utils, ajv, and ajv-keywords appear in this segment. Verify that JSON schema validations and related functionalities operate smoothly with these new versions.

---

18190-18203: Terser Dependency Update Check
Terser and its related dependencies are updated here. Please ensure that minification and source map generation remain intact post-update.

---

18221-18230: Terser-Webpack-Plugin Virtual Reference Update
This hunk updates the virtual reference for terser-webpack-plugin to align with "npm:5.3.11". Confirm that webpack’s bundling process correctly incorporates this new version.

---

18348-18368: Comprehensive Terser-Webpack-Plugin Update
The virtual package details for terser-webpack-plugin are updated in this section. Verify that these changes do not adversely affect build performance or bundle sizes.

---

18711-18717: Mocha Version Reiteration
Mocha is reasserted as "npm:11.1.0" in this block. As always, ensure that test suites and integration points use the updated version seamlessly.

---

20202-20211: Workerpool Dependency Update
The workerpool package is updated to "npm:6.5.1". Confirm that asynchronous task management and worker pooling mechanisms continue to function as expected with this upgrade.

---

20436-20453: Yargs and Yargs-Parser Dependency Update
The updates to yargs and yargs-parser here are intended to ensure improved CLI argument parsing. Validate that all command-line interfaces behave correctly post-update.

---

20462-20478: Final Yargs-Parser Updates
The dependency updates for yargs-parser are finalized in this hunk. Please verify that downstream tools relying on CLI parsing resolve these versions properly without issues.

packages/search-contract/package.json (1)

25-25: Mocha Version Upgrade Verified.
The mocha dependency has been updated from ^10.2.0 to ^11.1.0, which is consistent with the PR’s objectives of addressing dependency vulnerabilities (notably related to the serialize-javascript chain). Please ensure that all unit tests pass after this upgrade.

packages/wallet-utils-contract/package.json (1)

25-25: Consistent Mocha Upgrade in Wallet Utils.
The upgrade to ^11.1.0 is correctly applied here. Verify that the new version does not introduce any unforeseen issues in your test suite.

packages/dash-spv/package.json (1)

27-27: Mocha Dependency Update for dash-spv.
The mocha version change to ^11.1.0 aligns with the overall project update. Please run a full test suite to confirm that there are no regressions or compatibility issues with this update.

packages/dashpay-contract/package.json (1)

34-34: Mocha Version Consistency in DashPay Contract.
The dependency update from ^10.2.0 to ^11.1.0 is correctly applied. Validate that the testing framework upgrade maintains compatibility with existing test scripts.

packages/dpns-contract/package.json (1)

40-40: Mocha Dependency Version Updated.
The upgrade to ^11.1.0 is consistently applied in this file as well. Ensure that integration tests and any environment-specific test cases run smoothly with this change.

packages/masternode-reward-shares-contract/package.json (1)

40-40: Upgrade Mocha Dependency Version in DevDependencies
The mocha version has been updated from "^10.2.0" to "^11.1.0", which is a vital change aimed at addressing the XSS vulnerability (via the serialize-javascript dependency). Please ensure that the project's test suite runs without issues after this upgrade.

packages/withdrawals-contract/package.json (1)

41-41: Upgrade Mocha Dependency for Withdrawals Contract
The mocha dependency has been updated to "^11.1.0" to mitigate the XSS vulnerability. Confirm that existing tests in this package work as expected with the new version.

packages/bench-suite/package.json (1)

20-20: Update Mocha Version in Bench Suite Dependencies
The dependency version for mocha is changed to "^11.1.0" for consistency with other packages and to address the vulnerability. Ensure that this change does not adversely affect any benchmark-related test execution.

.yarnrc.yml (1)

47-47: Update Karma-Mocha Configuration in Yarn Settings
The karma-mocha dependency configuration has been updated to use mocha "^11.1.0". This change is critical to prevent the XSS vulnerability tied to the older versions of dependencies. Verify that the build and test processes correctly pick up this configuration change.

packages/dapi-grpc/package.json (1)

62-62: Upgrade Mocha Version in DAPI GRPC DevDependencies
The mocha version in the devDependencies has been updated to "^11.1.0". This aligns with the overall project strategy to remedy the serialize-javascript XSS vulnerability. Please double-check that all unit tests for the DAPI GRPC package continue to pass with the upgrade.

packages/platform-test-suite/package.json (1)

59-59: Update Mocha Dependency for Security Patch

The Mocha version has been updated from ^10.2.0 to ^11.1.0 as required to mitigate the XSS vulnerability linked to serialize-javascript. This aligns with the broader project upgrade strategy. Please ensure that the test suite runs without issues after this update.

packages/dapi/package.json (1)

69-69: Upgrade DevDependency Mocha Version

The mocha dependency in the devDependencies section has been updated to ^11.1.0, consistent with the security advisory upgrade. Verify that all tests and scripts invoking Mocha are compatible with this new version.

packages/wasm-dpp/package.json (1)

76-76: Consistent Mocha Version Update

The update to mocha version ^11.1.0 on line 76 ensures that the @dashevo/wasm-dpp package benefits from the security patch addressing the XSS vulnerability. Please confirm that this change does not affect the WASM build or the test executions.

packages/wallet-lib/package.json (1)

83-83: Mocha Version Upgrade in Wallet Library

The Mocha dependency in the devDependencies has been updated to ^11.1.0 as shown on line 83. This change is in line with the overall project update for security improvements. Ensure that test scripts continue to function correctly with this upgrade.

packages/js-dapi-client/package.json (1)

67-67: Update Mocha in JS DAPI Client Package

The mocha dependency has been updated to ^11.1.0 (line 67) to address the XSS vulnerability problem via dependency upgrade. Confirm that any custom Mocha configurations or test setups in this package are compatible with version 11.

packages/js-dash-sdk/package.json (2)

88-88: Updated Mocha Version to Address Vulnerabilities
The mocha dependency has been bumped to ^11.1.0. This upgrade is crucial given the reported XSS vulnerability in the serialize-javascript dependency (GHSA-76p7-773f-r4q5) that mocha indirectly uses. Please verify that no breaking changes in Mocha v11 affect your tests and that the new version indeed pulls in the patched dependencies.

---

100-100: Updated Terser-Webpack-Plugin Version
The version upgrade for terser-webpack-plugin to ^5.3.11 is a minor update that should improve stability or security. Ensure that all related webpack configurations remain compatible with this version change.

packages/dashmate/package.json (1)

109-109: Consistent Mocha Upgrade in DevDependencies
The mocha dependency in the devDependencies section has been updated to ^11.1.0, aligning it with the changes in other packages. This consistency helps ensure that all test-related tooling benefits from the security fixes (specifically addressing the XSS vulnerability via serialize-javascript) and improvements introduced in Mocha v11. Please double-check that no unexpected breaking changes affect the test suite.