Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to strip-ansi@6.0.1 for ansi-regex CVE-2021-3807 #111

Closed
mriedem opened this issue Oct 21, 2021 · 4 comments · Fixed by #112
Closed

Update to strip-ansi@6.0.1 for ansi-regex CVE-2021-3807 #111

mriedem opened this issue Oct 21, 2021 · 4 comments · Fixed by #112

Comments

@mriedem
Copy link
Contributor

mriedem commented Oct 21, 2021

The latest version of cliui requires strip-ansi 6.0.0 which requires ansi-regex 5.0.0 which has a CVE against it:

https://nvd.nist.gov/vuln/detail/CVE-2021-3807

Update the cliui dependency on strip-ansi to 6.0.1 which requires ansi-regex 5.0.1 to resolve the vulnerability in this dependency chain:

https://github.com/chalk/strip-ansi/blob/v6.0.1/package.json#L47

I'm here because of this dependency chain:

├─┬ @carbon/charts-vue@0.41.95
│ └─┬ @carbon/telemetry@0.0.0-alpha.6
│   └─┬ yargs@16.2.0
│     └─┬ cliui@7.0.4
│       └─┬ strip-ansi@6.0.0
│         └── ansi-regex@5.0.0

Updating to the latest @carbon/charts-vue@0.41.95 does not resolve that issue.

This may be related to issues #106 and #110.

@mriedem
Copy link
Contributor Author

mriedem commented Oct 21, 2021

npm audit also mentions this as GHSA-93q8-gq69-wqmw.

mriedem added a commit to mriedem/cliui that referenced this issue Oct 21, 2021
This updates strip-ansi and mocha to pick up
ansi-regex 5.0.1 for CVE-2021-3807 [1][2].

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3807
[2] GHSA-93q8-gq69-wqmw

Closes yargs#111
@opravil-jan
Copy link

Hi,

any progress in updating dependencies please?

Thanks
Jonh

@mriedem
Copy link
Contributor Author

mriedem commented Nov 2, 2021

Hi,

any progress in updating dependencies please?

Thanks Jonh

There are at least two open PRs but need a maintainer to run checks on them.

@constantinirimia
Copy link

Hi
Any updates on this?
Thank you!
Constantin

@bcoe bcoe closed this as completed in #112 Feb 5, 2022
bcoe pushed a commit that referenced this issue Feb 5, 2022
This updates strip-ansi and mocha to pick up
ansi-regex 5.0.1 for CVE-2021-3807 [1][2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3807
[2] GHSA-93q8-gq69-wqmw
Closes #111
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants