Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit ansi-regex #108

Open
kmalakoff opened this issue Oct 9, 2021 · 11 comments · May be fixed by #109
Open

npm audit ansi-regex #108

kmalakoff opened this issue Oct 9, 2021 · 11 comments · May be fixed by #109

Comments

@kmalakoff
Copy link

I'm getting these nm audit warnings. Can you please update the dependency on ansi-regex for this module?

ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install karma-mocha-reporter@2.2.3, which is a breaking change
node_modules/inquirer-autosubmit-prompt/node_modules/ansi-regex
node_modules/inquirer-autosubmit-prompt/node_modules/string-width/node_modules/ansi-regex
node_modules/karma-mocha-reporter/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/inquirer-autosubmit-prompt/node_modules/string-width/node_modules/strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/strip-ansi
node_modules/karma-mocha-reporter/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
inquirer 3.2.0 - 7.0.4
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/inquirer
inquirer-autosubmit-prompt *
Depends on vulnerable versions of inquirer
node_modules/inquirer-autosubmit-prompt
listr-input >=0.2.0
Depends on vulnerable versions of inquirer-autosubmit-prompt
node_modules/listr-input
np >=4.0.0
Depends on vulnerable versions of listr
Depends on vulnerable versions of listr-input
node_modules/np
karma-mocha-reporter >=2.2.4
Depends on vulnerable versions of strip-ansi
node_modules/karma-mocha-reporter
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
log-update 2.1.0 - 3.4.0
Depends on vulnerable versions of wrap-ansi
node_modules/log-update
listr-update-renderer >=0.5.0
Depends on vulnerable versions of log-update
node_modules/listr-update-renderer
listr >=0.14.3
Depends on vulnerable versions of listr-update-renderer
node_modules/listr

12 moderate severity vulnerabilities
Den-dp added a commit to Den-dp/karma-mocha-reporter that referenced this issue Nov 22, 2021
@Den-dp
fix: update strip-ansi to use newer ansi-regex without vulnerability
e9af81b 
BREAKING CHANGE: Require Node.js 8 as per https://github.com/chalk/strip-ansi/releases/tag/v6.0.0

Closes: litixsoft#108
@Den-dp Den-dp linked a pull request Nov 22, 2021 that will close this issue
Open
@Den-dp
Copy link

Den-dp commented Nov 22, 2021

Added PR to fix that

@hitendra-ap
Copy link

hitendra-ap commented Dec 6, 2021
edited

Hello @Den-dp,
Any updates regarding this issue? Or any eta on this.. when it will be fixed?
Actually, this vulnerability is blocking our application from being PCI DSS compliant.
Thanks

@Den-dp
Copy link

Den-dp commented Dec 6, 2021

@hitendra-ap so my PR is here #109 but there are some failed tests that someone should take a look at.

It is up to the maintainer what to do with this PR.

@JugrajSripalJain
Copy link

@artm @ppvg any thoughts?

@psnosignaluk
Copy link

@LitixThomas would it be safe to assume that karma-mocha-reporter is no longer supported and is abandoned?

@Den-dp
Copy link

Den-dp commented Dec 15, 2021

Added CI-related fix to #109 Now it's green 🟢

@LitixThomas
Copy link
Member

Yes, karma-mocha-reporter is outdated and will no longer maintained.

@tomkdgun
Copy link

@LitixThomas @Den-dp Do someone is going to take over ownership of this project ? Any alternatives for this reporter ?

@Den-dp
Copy link

Den-dp commented Dec 23, 2021

Assuming that:

I hope that one day maintainers will reconsider their intent to drop this project and will find some time to merge the fix since right now it is low effort/low hanging fruit.

I have no plans on forking it and publishing it to npm.

@Sayan751
Copy link

I think the main issue here might be that in the current versions, the dependencies modules have moved to cjs to esm which might be an issue with karma. The esm karma conf file issue is still open: karma-runner/karma#3677.

@JesseAppleton
Copy link

Commenting to mention I'm looking for #109 to be merged as well. Maintainers, please consider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update strip-ansi to use newer ansi-regex without vulnerability Den-dp/karma-mocha-reporter
9 participants
@kmalakoff @Den-dp @LitixThomas @Sayan751 @tomkdgun @psnosignaluk @JugrajSripalJain @JesseAppleton @hitendra-ap