chore: Bump fast-check to version 3 (ramda#3301)

The version 3 of fast-check added something very interesting for libraries such as ramda: it can more likely produce values such as `__proto__` or `toString` which are known sources for CVE. On fast-check's side, I also worked on some tooling making poisoning related issues even simpler to detect with an automatic detection for poisoning on globals. I successfully found back several past CVEs of lodash thanks to it.
kedashoe · May 24, 2024 · de700e2 · de700e2
1 parent c766083
commit de700e2
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 23 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -109,7 +109,7 @@
     "envvar": "^2.0.0",
     "eslint": "^8.53.0",
     "eslint-plugin-import": "^2.29.0",
-    "fast-check": "^2.12.0",
+    "fast-check": "^3.18.0",
     "handlebars": "^4.7.8",
     "js-yaml": "^4.1.0",
     "mocha": "^10.2.0",

diff --git a/test/symmetricDifference.js b/test/symmetricDifference.js
@@ -59,7 +59,7 @@ describe('symmetricDifference', function() {
 
   it('returns empty arrays when receiving an array and a permutation of it', function() {
     fc.assert(fc.property(fc.clone(compatibleREquals, 2).chain(function(arrays) {
-      return fc.tuple(fc.constant(arrays[0]), fc.shuffledSubarray(arrays[1], arrays[1].length, arrays[1].length));
+      return fc.tuple(fc.constant(arrays[0]), fc.shuffledSubarray(arrays[1], {minLength: arrays[1].length, maxLength: arrays[1].length}));
     }), function(arrays) {
       var A1 = arrays[0];
       var A2 = arrays[1];