chore: switch from mocha+chai to node:test#7
Merged
Conversation
Removes the entire mocha dependency chain — including the unpatchable serialize-javascript and diff CVEs upstream of mocha 11.7.5 (Dependabot alerts #33 and siblings, GHSA-qj8w-gfj5-8c6v / GHSA-5c6j-r48x-rmvq / GHSA-73rr-hh4g-fpgx). node:test ships with Node 18+ and exposes describe/it directly; node:assert/strict replaces chai's should() API. Test files rewritten: - conformance.spec.js (58 cases, the contract) - param.spec.js (legacy) - deparam.spec.js (legacy) Translation pattern: chai .should.equal → assert.equal, .should.deep.equal → assert.deepEqual, .should.be.a('type') → typeof check. The strict variant (node:assert/strict) means .equal already behaves as .strictEqual; .deepEqual already behaves as .deepStrictEqual. DevDeps removed: mocha (^11.7.5), chai (^4.5.0), and all their transitive deps — 88 packages gone from node_modules and the lockfile shrinks by ~1840 lines. Scripts: `npm test` now runs `node --test test/*.spec.js` instead of `mocha test`. CI workflow same swap. Floor smoke unchanged (already used node:assert). Audit: `npm audit` (full, incl. devDeps) drops from 3 vulns to **0**. Runtime audit stays at 0. ESLint mocha-globals block removed from test files since describe/it now come from `require('node:test')`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the entire mocha+chai dependency chain by migrating to the built-in
node:testrunner withnode:assert/strict. Eliminates the three unpatchable Dependabot advisories upstream of mocha 11.7.5 —serialize-javascript(CVE-2026-34043, alert #33),serialize-javascript(GHSA-5c6j-r48x-rmvq), anddiff(GHSA-73rr-hh4g-fpgx). All three were dev-only but they cluttered the audit picture.npm audit(full, including devDeps) drops from 3 → 0.What changed
mocha@^11.7.5(+ 88 transitive deps)node:test(built into Node 18+)chai@^4.5.0node:assert/strictdescribe / itfrom mocha globalsconst { describe, it } = require('node:test').should.equal(),.should.deep.equal(),.should.be.a('type')assert.equal(),assert.deepEqual(),typeofchecksnpx mocha testnode --test test/*.spec.jsTest files rewritten
All three preserve their existing test counts (82 total) and assertions:
test/conformance.spec.js— the Reference Conformance Spec (58 cases). The contract; every case still pinned.test/param.spec.js— legacy specs (8 cases).test/deparam.spec.js— legacy specs (16 cases).The translation is mechanical:
.should.equal(x)→assert.equal(actual, x). Because we usenode:assert/strict(the strict variant),.equalalready behaves like chai's deep-equality and node'sstrictEqual— no looser comparisons sneak in.CI changes
testmatrix:npx mocha test→node --test test/*.spec.jstest-upstream-latest:npx mocha test/conformance.spec.js→node --test test/conformance.spec.jsfloormatrix: unchanged —smoke-floor.jsalready usednode:assert(no mocha/chai involved). Node 0.10/0.12/4 floors still verified.ESLint config
Removed the mocha-globals block (
describe,it,before,after, etc.) from thetest/**/*.jsrules since we now import them viarequire('node:test'). Test files keepecmaVersion: 2022since they run on Node 18+ only.Test plan
Lint + formatgreennode --test)Conformance against qs@latestgreennpm audit (runtime only)greenLockfile delta
package-lock.jsonshrinks by ~1840 lines. 88 packages removed fromnode_modules. The full audit going from 3 → 0 closes Dependabot alerts #33 and its siblings automatically on merge.No version bump
DevDep-only change. The published tarball is unchanged. No
npm publishneeded.