Security Patch -> CVE-2023-43646

[lernerb]

Describe the bug

Dependabot is sending out notifications to all users of vitest on the latest version:

Chaijs/get-func-name vulnerable to ReDoS #553
Open Opened 2 weeks ago on get-func-name (npm)
Dependabot cannot update get-func-name to a non-vulnerable version
The latest possible version of get-func-name that can be installed is 2.0.0.
The earliest fixed version is 2.0.1.

Loupe just published the latest version today: https://github.com/chaijs/loupe/releases/tag/v2.3.7

Need to update utils & locks to match that fix so folks can upgrade without patching/overriding.

https://github.com/vitest-dev/vitest/blob/main/packages/utils/package.json#L55

Reproduction

Turn on Dependabot.

System Info

N/A

Used Package Manager

npm

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[AriPerkkio]

Need to update utils & locks to match that fix so folks can upgrade without patching/overriding.

Loupe's fix is a patch release. Can't you just update your lockfile and use latest version of Loupe?

[lernerb]

@AriPerkkio That's definitely a solution - we don't depend on it directly, so figured it may be simpler and better for the rest of the community if we can also bump the minimum patch version directly here as well so folks automatically get the update!