Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to [email protected] for ansi-regex CVE-2021-3807 #111

Closed
mriedem opened this issue Oct 21, 2021 · 4 comments · Fixed by #112
Closed

Update to [email protected] for ansi-regex CVE-2021-3807 #111

mriedem opened this issue Oct 21, 2021 · 4 comments · Fixed by #112

Comments

@mriedem
Copy link
Contributor

mriedem commented Oct 21, 2021

The latest version of cliui requires strip-ansi 6.0.0 which requires ansi-regex 5.0.0 which has a CVE against it:

https://nvd.nist.gov/vuln/detail/CVE-2021-3807

Update the cliui dependency on strip-ansi to 6.0.1 which requires ansi-regex 5.0.1 to resolve the vulnerability in this dependency chain:

https://github.com/chalk/strip-ansi/blob/v6.0.1/package.json#L47

I'm here because of this dependency chain:

├─┬ @carbon/[email protected]
│ └─┬ @carbon/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]

Updating to the latest @carbon/[email protected] does not resolve that issue.

This may be related to issues #106 and #110.
@mriedem
Copy link
Contributor Author

mriedem commented Oct 21, 2021

npm audit also mentions this as GHSA-93q8-gq69-wqmw.

mriedem added a commit to mriedem/cliui that referenced this issue Oct 21, 2021
@mriedem
Updates for ansi-regex 5.0.1 and CVE-2021-3807
b8d6a4e 
This updates strip-ansi and mocha to pick up
ansi-regex 5.0.1 for CVE-2021-3807 [1][2].

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3807
[2] GHSA-93q8-gq69-wqmw

Closes yargs#111
@mriedem mriedem mentioned this issue Oct 21, 2021
Merged
@opravil-jan
Copy link

Hi,

any progress in updating dependencies please?

Thanks
Jonh

@mriedem
Copy link
Contributor Author

mriedem commented Nov 2, 2021

Hi,

any progress in updating dependencies please?

Thanks Jonh

There are at least two open PRs but need a maintainer to run checks on them.

@constantinirimia
Copy link

Hi
Any updates on this?
Thank you!
Constantin

@remyroy remyroy mentioned this issue Nov 25, 2021
Closed
@bcoe bcoe closed this as completed in #112 Feb 5, 2022
bcoe pushed a commit that referenced this issue Feb 5, 2022
@mriedem
Updates for ansi-regex 5.0.1 and CVE-2021-3807 (#112)
13a2a9d 
This updates strip-ansi and mocha to pick up
ansi-regex 5.0.1 for CVE-2021-3807 [1][2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3807
[2] GHSA-93q8-gq69-wqmw
Closes #111
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: updates for ansi-regex 5.0.1 and CVE-2021-3807 mriedem/cliui
3 participants
@opravil-jan @mriedem @constantinirimia