Hi @mmanela, would it be possible for you to review this PR? It would help us to be able to remove this security issue from our radar.

Ping @mmanela

Sorry for the delay. Did you validate if everything works? I remember years ago I had looked at a JSDOM updated and it broke a lot. @Evangelink

I haven't done any extra manual test no. I assumed that there was integration tests that would catch such issue. Happy to run any test but I would need some guidance from you because I am not really using your tool per say. I am part of the MS test platform team and we simply have some acceptance tests using your tool to ensure we don't break compatibility for JS testing (meaning that I am not actively using this tool). I am happy to learn because I expect to be doing regular PRs here for security reasons.

The other thing to consider @Evangelink is that this is not really a vulnerability that need actioning. Chutzpah is not a server application and is just run local client app. The risk for exposure is super minimal. Chutzpah gets flagged for these things though since the libs it uses may be used in web sites that are actually exploitable.

Sadly it will be harder for us to investigate, justify and ensure that vulnerabilities can't be exploited in any way rather than "simply" bumping the dependencies. Although I understand this will generate some extra review/release job on your side.