🔒 Security: Vulnerability Detected in Dependency (NPM inflight)

[kat2codes]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

I would like to report a high vulnerability that has been detected in one of the dependencies of Mocha. The vulnerability is present in the inflight package, specifically version 1.0.6. The vulnerability is classified as CWE-722: Missing Release of Resource after Effective Lifetime.

Package: inflight
Version: 1.0.6 (latest)
CWE: CWE-722 (Missing Release of Resource after Effective Lifetime)
Description: In NPM inflight there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the issue was not addressed and no fix is found. NOTE: In the meantime, logdna-agent, a package that depends on inflight, has merged a commit to address this solely in their package (so it should be fixed in logdna-agent in versions 1.6.5 and later). Node-glob, a package that also depends on inflight, was also planning to address this by not using inflight after version 8 is released, but it is still being used.

Please note that I did not directly install or utilize inflight package. Instead, it is a dependency of the Mocha package I am currently using, specifically version 10.2.0.

I kindly request the necessary actions to be taken to address and remediate this vulnerability to ensure the security and stability of the mocha framework. If any further info is required, please let me know.

Thanks!

Additional Information

[JoshuaKGoldberg]

Similar to #4987: the vast majority of security reports on GitHub/npm are at least semi-automated and spam. If you can demonstrate an actual security vulnerability in mocha, please do. Otherwise this isn't a productive report. Thanks for filing though - I do appreciate that you're trying to make things more secure!