Bump minimatch and mocha in /test/js-scripts

[dependabot]

Bumps minimatch and mocha. These dependencies needed to be updated together.
Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates mocha from 10.4.0 to 10.8.2

Release notes

Sourced from mocha's releases.

v10.8.2

10.8.2 (2024-10-30)

🩹 Fixes

• support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
• test link in html reporter (#5224) (f054acc)

📚 Documentation

• indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

• fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

• deps: bump the github-actions group with 1 update (#5132) (e536ab2)

v10.8.1

10.8.1 (2024-10-29)

🩹 Fixes

• handle case of invalid package.json with no explicit config (#5198) (f72bc17)
• Typos on mochajs.org (#5237) (d8ca270)
• use accurate test links in HTML reporter (#5228) (68803b6)

v10.8.0

10.8.0 (2024-10-29)

🌟 Features

• highlight browser failures (#5222) (8ff4845)

🩹 Fixes

• remove :is() from mocha.css to support older browsers (#5225) (#5227) (0a24b58)

📚 Documentation

... (truncated)

Changelog

Sourced from mocha's changelog.

10.8.2 (2024-10-30)

🩹 Fixes

• support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
• test link in html reporter (#5224) (f054acc)

📚 Documentation

• indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

• fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

• deps: bump the github-actions group with 1 update (#5132) (e536ab2)

10.8.1 (2024-10-29)

🩹 Fixes

• handle case of invalid package.json with no explicit config (#5198) (f72bc17)
• Typos on mochajs.org (#5237) (d8ca270)
• use accurate test links in HTML reporter (#5228) (68803b6)

10.8.0 (2024-10-29)

🌟 Features

• highlight browser failures (#5222) (8ff4845)

🩹 Fixes

• remove :is() from mocha.css to support older browsers (#5225) (#5227) (0a24b58)

📚 Documentation

• add SECURITY.md pointing to Tidelift (#5210) (bd7e63a)
• adopt Collective Funds Guidelines 0.1 (#5199) (2b03d86)
• update README, LICENSE and fix outdated (#5197) (1203e0e)

🧹 Chores

• fix npm scripts on windows (#5219) (1173da0)
• remove trailing whitespace in SECURITY.md (7563e59)

10.7.3 (2024-08-09)

... (truncated)

Commits

• 05097db chore(main): release 10.8.2 (#5239)
• 14e640e docs: indicate 'exports' interface does not work in browsers (#5181)
• 881e3b0 chore: fix docs builds by re-adding eleventy and ignoring gitignore again (#5...
• f054acc fix: test link in html reporter (#5224)
• e536ab2 build(deps): bump the github-actions group with 1 update (#5132)
• ba0fefe fix: support errors with circular dependencies in object values with --parall...
• f44f71b chore(main): release 10.8.1 (#5238)
• f72bc17 fix: handle case of invalid package.json with no explicit config (#5198)
• 68803b6 fix: use accurate test links in HTML reporter (#5228)
• d8ca270 fix: Typos on mochajs.org (#5237)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Embedded URLs or IPs: npm mocha URLs: https://github.com/mochajs/mocha/wiki/compilers-deprecation, https://nodejs.org/api/errors.html#errors_error_stacktracelimit, 0.0.0.0, https://npm.im/yargs-parser, https://npm.im/serialize-javascript, chokidar.watch, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/toString, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures, github.com/rstacruz/mocha-clean, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign#Custom_and_Null_objects, http://feross.org, https://bugzilla.mozilla.org/show_bug.cgi?id=695438., http://msdn.microsoft.com/en-us/library/ie/dww52sbt, https://en.wikipedia.org/wiki/Latin_script_in_Unicode, https://www.artima.com/weblogs/viewpost.jsp?thread=164293, http://code.google.com/p/google-diff-match-patch/wiki/API, https://mathiasbynens.be/notes/ambiguous-ampersands:, http://html5sec.org/Uniswap#102,, http://html5sec.org/Uniswap#108,, http://html5sec.org/Uniswap#133., https://mths.be/punycode., https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae, https://mths.be/notes/ambiguous-ampersands, http://stackoverflow.com/a/16459606/376773, https://github.com/facebook/react-native/pull/1632, http://stackoverflow.com/a/398120/376773, https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages, https://nodejs.org/api/process.html#process_process_emitwarning_warning_options, https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout#Maximum_delay_value, https://nodejs.org/api/events.html#events_class_eventemitter, https://testanything.org/tap-specification.html, https://testanything.org/tap-version-13-specification.html, https://mochajs.org/, https://ibin.co/4QuRuGjXvl36.png, https://github.com/mochajs/mocha/pull/916 Location: Package overview From: test/js-scripts/package-lock.json → npm/@uniswap/v3-sdk@3.11.2 → npm/mocha@10.8.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mocha@10.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm mocha is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard buffered worker pool wrapper for Mocha parallel execution. The most notable risk is the use of serializeJavascript with unsafe: true for IPC, which could allow scripted content to be executed if the deserialization path in the worker is not strictly isolated. Otherwise, there are no clear malicious behaviors (no network exfiltration, no backdoors, no filesystem tampering). The module exposes typical worker management functionality and minimal external data handling beyond IPC and environment knob MOCHA_WORKER_ID. Recommend ensuring the worker's deserialization path is strictly sandboxed and that the IPC layer validates and sanitizes inputs. Consider replacing unsafe serialization or ensuring the worker-side only deserializes to a known schema. Confidence: 1.00 Severity: 0.60 From: test/js-scripts/package-lock.json → npm/@uniswap/v3-sdk@3.11.2 → npm/mocha@10.8.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mocha@10.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: The fragment represents a conventional and sound worker pool IPC model with proper asynchronous handling and Transfer-based data transfer. The principal security concern is the dynamic execution of stringified code via new Function, which could enable arbitrary code execution if untrusted input ever flows into worker.run. In trusted, closed-over environments, this remains a manageable risk, but it warrants strict enforcement of trusted inputs, tight coupling between host and worker, and preferably avoiding new Function where possible (or sandboxing). Overall, moderate risk with a clear mitigation path centered on input trust and function serialization safeguards. Confidence: 1.00 Severity: 0.60 From: test/js-scripts/package-lock.json → npm/@uniswap/v3-sdk@3.11.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: The fragment is a standard worker pool implementation with a notable security sink: dynamic code execution through new Function in run. This is a legitimate capability of the library but introduces a high-risk vector if untrusted code can be passed as the function string. There are no clear malicious actions (no exfiltration, backdoors, or crypto mining) evident in this snippet, but the dynamic evaluation presents a potential supply-chain risk if used with untrusted inputs. Overall, the code is not inherently malicious, but the dynamic evaluation presents a significant risk requiring strict input validation and trusted usage to prevent remote code execution in downstream applications. Confidence: 1.00 Severity: 0.60 From: test/js-scripts/package-lock.json → npm/@uniswap/v3-sdk@3.11.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a conventional cross-environment worker implementation with a high-risk capability (dynamic function execution) that could be abused if untrusted input is ever passed to worker.methods.run. The eval-based shim contributes additional dynamic behavior risk. The module is not inherently malicious, but it requires strict input controls, sandboxing, and explicit security reviews before being deployed in supply chains. Confidence: 1.00 Severity: 0.60 From: test/js-scripts/package-lock.json → npm/@uniswap/v3-sdk@3.11.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report