CVE-2021-3807 Resolution

Question

CVE-2021-3807 Resolution

fredkilbourn opened this issue 3 years ago · comments

Inefficient Regular Expression Complexity in chalk/ansi-regex
ansi-regex is vulnerable to Inefficient Regular Expression Complexity

GHSA-93q8-gq69-wqmw

This is coming from upstream but the fixes are just now reaching this level:

├ @discordjs/node-pre-gyp@0.4.2
└─┬ npmlog@5.0.1
  └─┬ gauge@3.0.1
    ├─┬ string-width@2.1.1
    │ └── strip-ansi@4.0.0 deduped
    ├─┬ strip-ansi@4.0.0
    │ └── ansi-regex@3.0.0
    └─┬ wide-align@1.1.5
      └── string-width@2.1.1 deduped

npmlog v5 is vulnerable, but npmlog v6 is now using the fixed upstream packages and is no longer vulnerable.

This commit in https://github.com/mapbox/node-pre-gyp now starts using npmlog v6: mapbox@ef8f171

I don't know if you guys are forking from main or waiting for release tags, but you should be able to integrate this fix now/soon.

Fred Kilbourn · Answer 1 · Wed Nov 17 2021 02:43:31 GMT+0800 (China Standard Time)

Related upstream issue: mapbox#620

Fred Kilbourn · Answer 2 · Wed Nov 17 2021 03:03:15 GMT+0800 (China Standard Time)

@mapbox/node-pre-gyp@1.0.7 is now published which includes npmlog@6

mapbox#620 (comment)

Fred Kilbourn · Answer 3 · Wed Dec 01 2021 23:18:19 GMT+0800 (China Standard Time)

2 week bump