Adds ansi-regex version ^3.0.1 to the package.json to fix reported security vulnerabilities in cmake-js.
This has been reported in https://github.com/aws/aws-iot-device-sdk-js-v2/issues/286, and as noted there it is due to cmake-js, which we are using the latest 6.X version of. However, as noted in https://github.com/cmake-js/cmake-js/issues/292 on the cmake-js repository, to fix this issue in cmake-js 6.X that would required updating from yargs 3.X to 13.X, which is roughly 3 years of changes in yargs and currently appears not to be an effort in motion because of the large impact it could have.
The issue in the cmake-js repository notes that this is not an issue in cmake-js 7.X, but the JS CRT supports a minimum of NodeJS 10.13, while cmake-js 7.X has a minimum requirement of NodeJS 14.15+. We cannot update to cmake-js 7.X without updating our minimum NodeJS version.
It should be noted that this ansi-regex issue only impacts cmake-js and does not have any impact at runtime or for built projects. It is purely a build-time issue, as that is the only place we're using cmake-js and we control all the input to it.
This PR fixes the issue by pinning ansi-regex to version ^3.0.1, which fixes the vulnerability by forcing the use of a newer version of ansi-regex than what cmake-js 6.X uses. This was tested with Node 10.13 and found to work without any issues.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description of changes:
Adds
ansi-regexversion^3.0.1to thepackage.jsonto fix reported security vulnerabilities in cmake-js.This has been reported in https://github.com/aws/aws-iot-device-sdk-js-v2/issues/286, and as noted there it is due to
cmake-js, which we are using the latest 6.X version of. However, as noted in https://github.com/cmake-js/cmake-js/issues/292 on thecmake-jsrepository, to fix this issue incmake-js6.X that would required updating fromyargs3.X to 13.X, which is roughly 3 years of changes inyargsand currently appears not to be an effort in motion because of the large impact it could have.cmake-jsrepository notes that this is not an issue incmake-js7.X, but the JS CRT supports a minimum of NodeJS 10.13, whilecmake-js7.X has a minimum requirement of NodeJS 14.15+. We cannot update tocmake-js7.X without updating our minimum NodeJS version.It should be noted that this
ansi-regexissue only impactscmake-jsand does not have any impact at runtime or for built projects. It is purely a build-time issue, as that is the only place we're usingcmake-jsand we control all the input to it.This PR fixes the issue by pinning
ansi-regexto version^3.0.1, which fixes the vulnerability by forcing the use of a newer version ofansi-regexthan whatcmake-js6.X uses. This was tested with Node 10.13 and found to work without any issues.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.