Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
mocha-isolation
Advanced tools
Provides process isolation for each test file running in mocha while preserving the single-run ease-of-use and reporting.
mocha-isolation
provides process isolation for each test file running in mocha. Each test file (javascript or typescript) runs in complete isolation from the parent mocha process. The root mocha process remains unaltered in it's knowledge that all the tests have run, and has full access to their success/failure outcome and error/stack trace. This provides a seamless reporting/running experience.
In addition to mocha reporting remaining unaware of the isolation, we have tested with istanbuljs/nyc to ensure that code coverage can still be maintained seamlessly.
The ability to debug running mocha tests is also an important part of the development process. To better support debugging, mocha-isolation
will automatically disable itself when it detects the process is listening for a debugger.
Due to the mechanics used for test isolation, I can not speak to the usability of this with browser-based tests, nor are there plans to support that endeavor. If you wish to contribute, please feel free to get in contact or send a pull request.
In your node root, run:
npm install --save-dev mocha-isolation
Add the following argument when running your mocha tests...
mocha --require mocha-isolation ./tests/*.js
Alternatively, you can specify the require argument in test/mocha.opts see https://mochajs.org/#mochaopts
You can use global['mocha-isolation']
to determine if your code is running in an isolated child process:
describe('foo', () => {
it('bar', () => {
if (global['mocha-isolation']) {
console.log('running in isolation.');
}
})
});
mocha_isolation_debug
existing as any 'truthy' value will enable diagnostic output in the console.
export mocha_isolation_debug=1
mocha_isolation_disable
existing as any 'truthy' value will disable the plugin for all processes.
export mocha_isolation_disable=1
The isolation is provided by forking the current node process with child_process.fork
. The forked process has full access to stdout/stderr, environment settings, command-line arguments, etc. The primary difference in runtime is the execution of before/after scopes, which are explained in more detail below.
mocha-isolation
replaces Mocha's Runnable.prototype.run
with it's own method..run()
is called, mocha-isolation
takes over execution as follows:
Because we are executing the hooks manually due to technical reasons, we are unable to run the hooks at the same time mocha calls the run
method of each hook. While this ensures that all appropriate hooks registered within a source file are executed, it also causes some issues with regards to reporting. Currently all hook errors are being reported as test failures since Mocha is unable to tell where the actual exception occurred.
While we ensure that all registered before/after hooks are called either before or after the test, we do not yet concern ourselves with scope, thus all before methods are executed at one time (startup) and all after methods will be executed at one time (shutdown) regardless of where they are defined. For the before hook, outer-most declarations are guaranteed to be executed first. The inverse is also true for the after hooks.
We take care to ensure that registered beforeEach and afterEach hooks are executed prior to and after each test. The order of execution, and which ones, run should be no different from that of Mocha. The only difference will be the aforementioned reporting of failures.
MIT Licence Copyright (c) 2018
FAQs
Provides process isolation for each test file running in mocha
We found that mocha-isolation demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.