🛠 Repo: Several packages reported by npm audit

[JoshuaKGoldberg]

Tooling Suggestion Checklist

• I have tried restarting my IDE and the issue persists.
• I have pulled the latest master branch of the repository.
• I have read and agree to Mocha's Code of Conduct and Contributing Guidelines
• I have searched for related issues and issues with the faq label, but none matched my issue.
• I want to provide a PR to resolve this

Overview

Running npm audit reports 58 vulnerabilities (34 moderate, 23 high, 1 critical):

• @babel/traverse <7.23.2
• axios 0.8.1 - 1.5.1
• browserify-sign 2.6.0 - 4.2.1
• debug <=2.6.8
• engine.io 5.1.0 - 6.4.1
• get-func-name <2.0.1
• got <=11.8.3
• http-cache-semantics <4.1.1
• liquidjs <10.0.0
• markdown-it <12.3.2
• ms <2.0.0
• nth-check <2.0.1
• nunjucks <3.2.4
• postcss <8.4.31
• request *
• semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
• semver-regex <=3.1.3
• socket.io-parser 4.0.4 - 4.2.2
• taffydb *
• tough-cookie <4.1.3
• trim-newlines <3.0.1
• word-wrap <1.2.4

After running npm audit fix locally, npm audit reports 50 vulnerabilities (30 moderate, 20 high):

• axios 0.8.1 - 1.5.1
• debug <=2.6.8
• got <=11.8.3
• http-cache-semantics <4.1.1
• liquidjs <10.0.0
• markdown-it <12.3.2
• ms <2.0.0
• nth-check <2.0.1
• postcss <8.4.31
• request *
• semver-regex <=3.1.3
• taffydb *
• tough-cookie <4.1.3
• trim-newlines <3.0.1

Additional Info

It's the nature of package vulnerability alerts that most or all of these are false flags. But it's good practice to stay up-to-date just in case.

[JoshuaKGoldberg]

#5071 gets most of this. After it the audit report is just 5 vulnerabilities (4 moderate, 1 high):

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls
  hyperlink  *
  Depends on vulnerable versions of request
  node_modules/hyperlink

taffydb  *
Severity: high
TaffyDB can allow access to any data items in the DB - https://github.com/advisories/GHSA-mxhp-79qh-mcx6
No fix available
node_modules/taffydb

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/request/node_modules/tough-cookie

5 vulnerabilities (4 moderate, 1 high)

Some issues need review, and may require choosing
a different dependency.

Looking at the three relevant packages:

• request: Comes from coveralls (🛠️ Repo: Migrate to codecov from coveralls #3943) and hyperlink. Will file an issue on hyperlink. Remove dependency on deprecated request package Munter/hyperlink#200
• taffydb: Hasn't been updated in 7 years. Comes from https://github.com/mochajs/mocha-docdash. We'll want to align back to the upstream docdash dependency. 🛠 Repo: Pull in @mocha/docdash updates #5072
• tough-cookie: Comes from taffydb (☝️), assetgraph -> jsdom, and coveralls -> request (☝️) -> jsdom. Will file an issue on assetgraph. Pull in jsdom@^23.0.0 for [email protected] assetgraph/assetgraph#1297

[voxpelli]

Related:

• 🛠 Repo: Set up Renovate #5055
• 📦 Package: Switch dependency versions to ^ ranges #5114

[voxpelli]

coveralls is gone #5128 and assetgraph since #5175, so of the three packages not dealt with by #5071 they all remain, but tough-cookie only because of taffydb now and request only due to hyperlink

#5042 also removes a couple of dependencies and may help clean things up

[voxpelli]

And hyperlink is gone since #5176, so request dependency should be gone – only @mocha/docdash / #5072 remains, and the #5071