snyk vulnerability finding with ansi-regex

[oceanofmaya]

Issue type:
[x] question
[ ] bug report
[ ] feature request
[ ] documentation issue

TypeORM version:

[x] latest
[ ] @next
[ ] 0.x.x (or put your version here)

Snyk is reporting an issue with ansi-regex, which is a transitive dependency

Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
introduced by typeorm@0.2.32 > yargs@16.2.0 > string-width@4.2.0 > strip-ansi@6.0.0 > ansi-regex@5.0.0 and 11 other path(s)
This issue was fixed in versions: 6.0.1

[oceanofmaya]

Looks like ansi-regex released a patch 5.0.1 and snyk now throws this error for the transitive dependency in my project

Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@5.0.0
introduced by typeorm@0.2.32 > yargs@16.2.0 > string-width@4.2.0 > strip-ansi@6.0.0 > ansi-regex@5.0.0 and 9 other path(s)
This issue was fixed in versions: 6.0.1, 5.0.1

[oceanofmaya]

On the upside there is activity at yargs to try and patch this yargs/yargs#1839 now that string-width, strip-ansi and ansi-regex have patched it already. Once yargs patches it, it should make patching it here easier.