Security Vulnerabilities with Mocha v9 and dependency on @serverless/test

[punit1108]

Mocha@v9 is getting old. It has got a few ongoing vulnerabilities now.

Tried upgrading to Mocha@v11, but @serverless/test is dependent on Mocha@v9 -

Then, i tried upgrading to Mocha@v10, turns out the it doesn't crash at peerDependencies, but the isolated tests are dependent on the code -

Not that it's a major fix but seems like serverless has made the repository private now and it's no longer available for OSS contributions. Also it was last published 3 years ago, hence i don't think they have any plans to maintain it anymore.

I am opening this issue to discuss how to handle this situation. @mnapoli

[punit1108]

One way would to be take the @serverless/test@1.11.1 (which has an MIT license) code and add it to the osls code itself.

[mnapoli]

Yeah I would love to get rid of this dependency, if we could that would be awesome!

[punit1108]

@mnapoli @GrahamCampbell

#140

Could someone take a look and help close this issue?

[mnapoli]

@punit1108 please don't ping like that. Things will get handled when they will. AFAICT these supposed vulnerabilities don't apply at all for a CLI application like serverless, nothing critical is happening except making checkers happy.

[punit1108]

nothing critical is happening except making checkers happy

We have a lot of services dependent on the serverless framework, for people looking to move to osls, it will matter knowing that the project is being actively maintained.
Going unresponsive when someone is trying to actively contribute to your projects, portrays that this project itself could be a non-serious one.

[mnapoli]

@punit1108 pay me for work, or leave me alone. You are in no position to make demands. Your work is not my work unless we are in a professional relationship.

If you can't accept that from open source projects, then don't use open source. Don't try to shift the burden on me, I don't need you to take the project seriously. You need that project, I don't need your opinion.

This is the end of that discussion. You are not the first and these kinds of remarks are exactly why OSS maintainers burn out. I need to protect myself from this. If you don't accept those terms I will ban you from this project.