Adds ansi-regex version ^3.0.1 to the package.json to fix reported security vulnerabilities in cmake-js.
This has been reported in https://github.com/aws/aws-iot-device-sdk-js-v2/issues/286, and as noted there it is due to cmake-js, which we are using the latest 6.X version of. However, as noted in https://github.com/cmake-js/cmake-js/issues/292 on the cmake-js repository, to fix this issue in cmake-js 6.X that would required updating from yargs 3.X to 13.X, which is roughly 3 years of changes in yargs and currently appears not to be an effort in motion because of the large impact it could have.
The issue in the cmake-js repository notes that this is not an issue in cmake-js 7.X, but the JS CRT supports a minimum of NodeJS 10.13, while cmake-js 7.X has a minimum requirement of NodeJS 14.15+. We cannot update to cmake-js 7.X without updating our minimum NodeJS version.
It should be noted that this ansi-regex issue only impacts cmake-js and does not have any impact at runtime or for built projects. It is purely a build-time issue, as that is the only place we're using cmake-js and we control all the input to it.
This PR fixes the issue by pinning ansi-regex to version ^3.0.1, which fixes the vulnerability by forcing the use of a newer version of ansi-regex than what cmake-js 6.X uses. This was tested with Node 10.13 and found to work without any issues.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description of changes:
Adds
ansi-regex
version^3.0.1
to thepackage.json
to fix reported security vulnerabilities in cmake-js.This has been reported in https://github.com/aws/aws-iot-device-sdk-js-v2/issues/286, and as noted there it is due to
cmake-js
, which we are using the latest 6.X version of. However, as noted in https://github.com/cmake-js/cmake-js/issues/292 on thecmake-js
repository, to fix this issue incmake-js
6.X that would required updating fromyargs
3.X to 13.X, which is roughly 3 years of changes inyargs
and currently appears not to be an effort in motion because of the large impact it could have.cmake-js
repository notes that this is not an issue incmake-js
7.X, but the JS CRT supports a minimum of NodeJS 10.13, whilecmake-js
7.X has a minimum requirement of NodeJS 14.15+. We cannot update tocmake-js
7.X without updating our minimum NodeJS version.It should be noted that this
ansi-regex
issue only impactscmake-js
and does not have any impact at runtime or for built projects. It is purely a build-time issue, as that is the only place we're usingcmake-js
and we control all the input to it.This PR fixes the issue by pinning
ansi-regex
to version^3.0.1
, which fixes the vulnerability by forcing the use of a newer version ofansi-regex
than whatcmake-js
6.X uses. This was tested with Node 10.13 and found to work without any issues.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.