Security Dashboard #5781
Description
If you believe you've discovered a vulnerability, please don't open a public bug or comment. Please follow our security policy.
We're confident in Mocha's security posture because it's a unit test framework: It's not designed to run in a public server, and it doesn't process untrusted data. If that doesn't match your use of Mocha, we strongly advise you to reconsider: Mocha is not designed to read untrusted data.
Here we'll track and explain each GitHub Advisory that may or may not affect Mocha. As of 2026-03-03, no publicly reported potential vulnerability has actually affected Mocha. For details and workarounds, you can learn more at Security Vulnerability Reports - mochajs.org.
| Advisory ID | Title | Dependency | Affects Mocha? | Reason | Last reviewed |
|---|---|---|---|---|---|
| GHSA-2g4f-4pwh-qvx6 | ajv has ReDoS when using $data option | ajv | No | Requires untrusted data | 2026-03-03 |
| GHSA-3ppc-4f35-3m26 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern | minimatch | No | Requires untrusted data | 2026-03-03 |
| GHSA-73rr-hh4g-fpgx | jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch | diff | No | Requires untrusted data | 2026-03-03 |
| GHSA-5c6j-r48x-rmvq | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() | serialize-javascript | No | Requires untrusted data | 2026-03-03 |
| GHSA-5j98-mcp5-4vw2 | glob CLI: Command injection via -c/--cmd executes matches with shell:true | glob | No | Requires untrusted data | 2026-03-03 |
We update dependencies as time allows, and we use Renovate for this: #5704. We backport critical fixes and easy wins to previous major versions.
Again, if you believe you've discovered a vulnerability, please don't open a public bug or comment. Please follow our security policy.