Open kconut opened 7 months ago
@kconut Thanks for posting! We'll take a look as soon as possible.
In the mean time, there are a few ways you can help speed things along:
Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.
For help with questions about Sails, click here.
Hey @kconut thanks for reporting, we will have a look into resolving this. :)
Hi @kconut, for some reason, this vulnerability is not showing up in npm audit
reports. Would you happen to have any idea why that is? Where did your security finding come from?
Hi @kconut, for some reason, this vulnerability is not showing up in
npm audit
reports. Would you happen to have any idea why that is? Where did your security finding come from?
Hi @eashaw, thank you for looking into this!
We have Snyk integrated into our pipeline for static code analysis and dependency scanning, and the vulnerability on ansi-regex only started showing up in our scans roughly 3 weeks ago.
Additional information from the generated report file:
Regular Expression Denial of Service (ReDoS)
Package Manager: npm
Vulnerable module: ansi-regex
Introduced through: sails@1.5.8 and others
Detailed paths
Introduced through: sails@1.5.8 › captains-log@2.0.4 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › sails-generate@2.0.8 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › whelk@6.0.1 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › sails-generate@2.0.8 › reportback@2.0.2 › captains-log@2.0.4 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Remediation
Upgrade ansi-regex to version 3.0.1, 4.1.1, 5.0.1, 6.0.1 or higher.
Also providing here the attached references regarding the finding: GitHub Commit GitHub Commit GitHub Commit GitHub PR
@kconut Publishing patches now!
Node version: 16 Sails version (sails): 1.5.8
We're encountering the following security finding for our sails application:
Is there any plan to update the chalk version for captains-log?