Mocha 10.2.0 ships with a critical security vulnerability in its dependency chain

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

v10.2.0 ships with a "critical severity" vulnerability in its dependency chain

Steps to Reproduce

npm install mocha

> npm install mocha

added 36 packages, changed 1 package, and audited 470 packages in 1s

55 packages are looking for funding
  run `npm fund` for details

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

> npm audit
# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92       
fix available via `npm audit fix`
node_modules/@babel/traverse

1 critical severity vulnerability

Additional Information

See https://github.com/advisories/GHSA-67hx-6x53-jw92

If it were a low risk dependency, then people can just be told to run npm audit fix, but a critical vulnerability should always get the dependency chain updated ASAP with a new patch version pushed out.