Update vulnerable wrap-ansi dependency

[Sindhura3]

One of the packages: wrap-ansi (3.0.0 - 6.1.0) depends on vulnerable versions of string-width and strip-ansi. Please merge PR, update dev depdencies, and do a release.

[radomirbosak]

Also this one: #293

[shavo007]

hi all +1 on this. its failing our security scanning currently due to this issue. thanks.

[radomirbosak]

Unfortunately, this wasn't resolved. Only @types/wrap-ansi was upgraded, not wrap-ansi itself.

[RodEsp]

Thanks @radomirbosak, you're totally right.
The PR for that is #293, as you said, but our automated tests aren't passing so it'll require a little more time to look into it.

[Swaagie]

@RodEsp correct me if wrong, but it seems that #293 failed on engine requirements (e.g. minimum node@12) and both GHA workflows as well as circle CI got updated more recently to only run against 12, 14 and latest. Might just take a simple action rerun to get tests to pass.

[RodEsp]

Hey @Swaagie, you're right that the GitHub actions are failing due to incorrect versions of node but the CircleCI tests have already been updated and are giving a different error.

Are you able to see the CircleCI job logs?

[Swaagie]

Yea I noticed that failure as well. I suspect this requires an update to the .mocharc.json config, see mochajs/mocha#4726. These options are not well documented yet. I'm happy to make an independent PR that fixes this.

[Swaagie]

Actually the real issue here is that wrap-ansi>8 moved to only expose ESM. If this plugins aims to consume this major version it should change require('wrap-ansi') to import ... from 'wrap-ansi'. That change likely has larger implications though.

According to the vulnerability audit using ansi-regex>=5.0.1 should be good. Going to make a PR to use wrap-ansi@6.2 as that depends on strip-ansi@6 which use the designated version of ansi-regex: https://github.com/chalk/strip-ansi/releases/tag/v6.0.1

[Swaagie]

See #321