Update dependency mocha to v10.8.0 - autoclosed

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
mocha (source)	devDependencies	minor	10.7.3 → 10.8.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	GitHub Issue
High	7.5	CVE-2026-27904	#11398

---

Release Notes

mochajs/mocha (mocha)

v10.8.0

Compare Source

🌟 Features

• highlight browser failures (#​5222) (8ff4845)

🩹 Fixes

• remove :is() from mocha.css to support older browsers (#​5225) (#​5227) (0a24b58)

📚 Documentation

• add SECURITY.md pointing to Tidelift (#​5210) (bd7e63a)
• adopt Collective Funds Guidelines 0.1 (#​5199) (2b03d86)
• update README, LICENSE and fix outdated (#​5197) (1203e0e)

🧹 Chores

• fix npm scripts on windows (#​5219) (1173da0)
• remove trailing whitespace in SECURITY.md (7563e59)

---

• If you want to rebase/retry this PR, check this box

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit b7f64a0.

Path	Line	Severity	Description
yarn.lock	13410	low	Integrity hash for fs.realpath@1.0.0 changed from SHA1 to SHA512 without any version change. SHA1-to-SHA512 migration is a legitimate practice, but integrity hash swaps without version bumps should be cross-checked against the npm registry to confirm the SHA512 value matches the published artifact.
yarn.lock	14798	low	Integrity hash for inflight@1.0.6 changed from SHA1 to SHA512 without a version change. Same concern as fs.realpath: the new SHA512 value should be verified against the official npm registry entry for this exact version.
yarn.lock	20662	low	Integrity hash for require-directory@2.1.1 changed from SHA1 to SHA512 without a version change. Should be verified against npm registry.
yarn.lock	24837	low	Integrity hash for wrappy@1.0.2 changed from SHA1 to SHA512 without a version change. Should be verified against npm registry.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 0 | Low: 4

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 4c6d677.

Path	Line	Severity	Description
yarn.lock	13654	medium	Integrity hash for 'fs.realpath@1.0.0' changed from SHA1 to SHA512 without a version bump. While SHA512 is stronger, replacing the integrity anchor for a pinned version allows the hash to be recalculated against different (potentially malicious) package content. Should be verified against the official npm registry hash.
yarn.lock	15042	medium	Integrity hash for 'inflight@1.0.6' changed from SHA1 to SHA512 without a version bump. Same concern as fs.realpath — the trust anchor for this pinned package is being silently replaced. Warrants verification against the npm registry.
yarn.lock	21002	medium	Integrity hash for 'require-directory@2.1.1' changed from SHA1 to SHA512 without a version bump. The resolved URL and version are unchanged, but swapping the integrity algorithm is a viable vector to silently substitute modified package content if the new hash was computed against tampered tarball bytes.
yarn.lock	25194	medium	Integrity hash for 'wrappy@1.0.2' changed from SHA1 to SHA512 without a version bump. Same pattern as the other three packages — the pinned version stays the same but the hash algorithm changes, which could mask substituted content. All four SHA1→SHA512 changes affect foundational npm utility packages that are transitive dependencies of many build tools, making them attractive supply-chain targets.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 4 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 3c33fd0.

Path	Line	Severity	Description
yarn.lock	13654	low	Multiple packages (fs.realpath@1.0.0, inflight@1.0.6, require-directory@2.1.1, wrappy@1.0.2) have their integrity hashes changed from SHA1 to SHA512 while remaining at the same version. This is standard npm/yarn migration away from deprecated SHA1 hashes and is almost certainly legitimate, but the new SHA512 hashes cannot be verified in this review without querying the npm registry directly. A supply chain attack could theoretically use this pattern to swap hashes for tampered packages.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 0 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.