Upgrade mocha to 4.1.0

[cgewecke]

This should address the security vulnerability reported in #941 (for Truffle).

• Issue at mocha and confirmed fix.
• List of breaking changes at mocha for v4 - seems ok. . . . .

Incidentally, this issue was found using a new command that comes with NPM 6

npm audit

[gnidan]

Oh neat, must check that out!

[frangio]

@cgewecke This hasn't fixed the vulnerability warnings because they come from truffle-core, not from truffle itself. 😿

https://github.com/trufflesuite/truffle-core/blob/1a6046a1da14d6d19acd335d0c4789dd0ee5607f/package.json#L22

truffle/yarn.lock

Lines 6935 to 6936 in 495f8d0

	mocha@^3.0.0, mocha@^3.2.0, mocha@^3.4.2:
	version "3.4.2"

In fact, it's only a devDependency of truffle, and it is a proper dependency of truffle-core. So this only updated the Mocha version used to test Truffle itself.

[cgewecke]

@frangio How are you getting the warnings? When I install I see this:

cgewecke$ npm install truffle
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

+ [email protected]
updated 1 package in 4.962s
[+] no known vulnerabilities found [132 packages audited]

cgewecke$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
[+] no known vulnerabilities found
    Packages audited: 132 (0 dev, 0 optional)

cgewecke$ 

It's a little confusing but because Mocha doesn't webpack well it's a dep of truffle - set here and then injected into the bundle here. Could be something's going wrong there though.

[cgewecke]

@frangio 4.1.10 has mocha 4 in the core. Thanks for pinging this.

[cgewecke]

4.1.10 got lost at npm during an outage. Now fixed at 4.1.11