MLE-24228 Bumping mocha and glob

rjrudin · rjrudin · commit fd332feac53b · 2025-11-18T11:21:53.000-05:00
Fixes some CVEs
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -85,11 +85,11 @@ brace-expansion: "2.0.2"
 - Why needed: Prevents regex denial of service attacks
 - CVE/Issue: Related to minimatch vulnerabilities
 
-glob: "10.3.11"
-- Purpose: Fixes ReDoS and security issues in file globbing
-- Affects: mocha, gulp-mocha build tooling
-- Why needed: Older glob versions have pattern matching vulnerabilities
-- CVE/Issue: Multiple vulnerabilities in older glob versions
+glob: "12.0.0"
+- Purpose: Fixes command injection vulnerability in glob CLI
+- Affects: mocha, gulp-mocha, rimraf (via bunyan/mv)
+- Why needed: Versions 10.3.7-11.0.3 vulnerable to command injection via -c/--cmd flag
+- CVE/Issue: GHSA-5j98-mcp5-4vw2 - Command injection via shell:true execution
 
 glob-parent: "6.0.2"
 - Purpose: Fixes ReDoS in path parsing
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -55,7 +55,7 @@
     "gulp-mocha": "10.0.1",
     "intercept-stdout": "0.1.2",
     "jsdoc": "4.0.5",
-    "mocha": "11.7.4",
+    "mocha": "11.7.5",
     "mocha-junit-reporter": "2.2.1",
     "moment": "2.30.1",
     "sanitize-html": "2.17.0",
@@ -76,7 +76,7 @@
     "color-name": "2.0.0",
     "cross-spawn": "7.0.6",
     "debug": "4.3.6",
-    "glob": "10.3.11",
+    "glob": "12.0.0",
     "glob-parent": "6.0.2",
     "minimatch": "5.1.0",
     "semver": "7.5.3",
