fix: Resolve security vulnerabilities and ignore unfixable transitive dep vulns by anurag-stepsecurity · Pull Request #72 · step-security/test-reporting

anurag-stepsecurity · 2026-04-09T10:56:51Z

Description

This PR:

Bumps mocha to v11 in reports/mocha and reports/mochawesome test fixtures to fix minimatch, picomatch, nanoid, js-yaml, and diff vulns.
Adds osv-scanner.toml to ignore entries for serialize-javascript (GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v) in mocha and mochawesome fixtures — unfixable transitive dep of mocha 8-12.
Added root osv-scanner.toml to ignore 5 undici vulns — transitive dep not directly used by the action.

Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>

anurag-stepsecurity marked this pull request as draft April 9, 2026 12:05

fix: Resolve security vulnerabilities

26974fa

Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>

anurag-stepsecurity force-pushed the fix-vulns branch from b260193 to 26974fa Compare April 9, 2026 12:33

anurag-stepsecurity marked this pull request as ready for review April 9, 2026 12:34