npm vulnerabilities fixes#8511
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s tooling/dependencies (Node/Gulp/Mocha/etc.), removes unused/obsolete packages, replaces the external replicator dependency with an in-repo implementation, and updates the release publishing workflow to use the shared testcafe-build-system publish action.
Changes:
- Inlined the
replicatorpackage intosrc/utils/replicatorand updated client-side imports accordingly; added server-side tests for the inlined implementation (including a GH-16 security regression test). - Migrated server test execution away from
gulp-mocha-simpleto running Mocha via CLI; removed the custom mocha reporter dependency and adjusted brittle tests. - Updated publish automation (removed
publish-pleaseand.publishrc, switched to a GitHub Actions-based publish flow) and bumped Node engine / dev tooling versions.
Reviewed changes
Copilot reviewed 22 out of 25 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/server/runner-test.js | Adjusts string-prefix assertions for runner error messages. |
| test/server/reporter-test.js | Adjusts reporter error message assertion to avoid chai-string dependency. |
| test/server/replicator-test.js | Adds coverage for the newly in-repo replicator implementation. |
| test/server/helpers/gh-16.js | Adds a helper for the GH-16 TypedArray deserialization security regression test. |
| test/server/compiler-test.js | Makes stack-frame assertions more robust across Node/Mocha/runtime variations. |
| test/server/cli-argument-parser-test.js | Replaces random long-string generation with deterministic long content. |
| test/functional/fixtures/api/es-next/iframe-switching/test.js | Improves multi-browser error assertions and adds a platform-specific skip. |
| src/utils/replicator/index.js | Introduces the inlined replicator implementation (previously external dependency). |
| src/utils/replicator/index.d.ts | Adds local TypeScript typings for the inlined replicator module. |
| src/client/driver/command-executors/client-functions/selector-executor/index.ts | Switches selector executor to use the in-repo replicator. |
| src/client/driver/command-executors/client-functions/replicator/transforms/selector-node-transform.ts | Updates transform typing import to the in-repo replicator module. |
| src/client/driver/command-executors/client-functions/replicator/transforms/selector-element-action-transform.ts | Updates transform typing import to the in-repo replicator module. |
| src/client/driver/command-executors/client-functions/replicator/transforms/function-transform.ts | Updates transform typing import to the in-repo replicator module. |
| src/client/driver/command-executors/client-functions/replicator/transforms/client-function-node-transform.ts | Updates transform typing import to the in-repo replicator module. |
| src/client/driver/command-executors/client-functions/replicator/index.ts | Switches replicator factory to use the in-repo replicator module. |
| src/client/driver/command-executors/client-functions/client-function-executor.ts | Switches client function executor to use the in-repo replicator module. |
| src/client-functions/replicator.js | Switches client-functions replicator usage to the in-repo replicator module. |
| package.json | Bumps Node engine requirement, updates tooling deps, removes unused packages and publish scripts. |
| Gulpfile.js | Replaces gulp-mocha-based server test runner with Mocha CLI execution; updates lint globs. |
| gulp/helpers/test-functional.js | Removes custom reporter wiring; keeps retry logic via Mocha options. |
| gulp/helpers/run-shell-commands.js | Adds a helper to run shell commands sequentially for Gulp steps. |
| @types/replicator/index.d.ts | Removes the old ambient typings for the external replicator package. |
| .publishrc | Removes publish-please configuration file (publish flow moved to GitHub Actions). |
| .github/workflows/publish.yml | Migrates npm publishing to the testcafe-build-system publish action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "engines": { | ||
| "node": ">=16.0.0" | ||
| "node": ">=20.0.0" |
Collaborator
Author
There was a problem hiding this comment.
let's do this in a separate PR
aleks-pro
changed the title
Aleksey28
reviewed
May 8, 2026
|
|
||
| expect(lastErr).instanceOf(ReporterPluginError); | ||
| expect(lastErr.message).startsWith(`The "${method}" method of the "customReporter" reporter produced an uncaught error. Error details:\nError: oops`); | ||
| expect(lastErr.message.startsWith(`The "${method}" method of the "customReporter" reporter produced an uncaught error. Error details:\nError: oops`)).to.be.true; |
Collaborator
There was a problem hiding this comment.
Could you please clarify this change? If this test is failed it'll be quite complicated the exact reason, since comparing is hidden under expect(...).to.be.true;. If there's a problem with startsWith, mayby it's better to use match
Collaborator
Author
There was a problem hiding this comment.
some of dependencies update led to updating chai version. tha new version has no startWith API. so I repaced it with JS startWith method
Aleksey28
reviewed
May 8, 2026
| const opts = { | ||
| reporter: 'mocha-reporter-spec-with-retries', | ||
| timeout: getTimeout(3 * 60 * 1000), | ||
| timeout: getTimeout(3 * 60 * 1000), |
Collaborator
There was a problem hiding this comment.
But without these retries blinking functional tests we'll be more annoying. I checked that mocha-reporter-spec-with-retries is only used in this repo, so we can move it into testcafe and it's not needed to duplicate it in other repos. What do you think?
Collaborator
Author
There was a problem hiding this comment.
yes, but it doesn't look for me that we really use this feature. I can do this if you insist.
Aleksey28
approved these changes
May 8, 2026
Bayheck
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.