Can ansi-html dependency be shifted to ansi-html-community to address advisory?

broccolijs / broccoli

Browser compilation library – an asset pipeline for applications that run in the browser

https://broccoli.build

MIT License

3.33k stars 217 forks source link

Can ansi-html dependency be shifted to ansi-html-community to address advisory? #492

Open lupestro opened 2 years ago

lupestro commented 2 years ago

ansi-html has a high priority advisory against it for uncontrolled resource consumption and has had no new versions since 2017 and no response from the author. ansi-html-community is a fork of it that issued a 0.0.8 release in early September to address the issue. See PR on the original repo. Can the dependency be shifted to the fork?

ohsnapitscolin commented 2 years ago

It looks like the PR above has been merged and a new version of ansi-html has been released. Can the ansi-html dependency in this repo be updated to use the new version?

gorner commented 3 months ago

Reposting a comment from the above-linked PR as a PSA for anyone this still affects:

Unfortunately this project seems to have remained dormant as the Ember community has shifted their focus to building out Embroider as the eventual replacement for Broccoli.

For now I would recommend specifying the updated version as an override in your package.json. Assuming you're using NPM, this would be:
"overrides": {
  "ansi-html": "^0.0.8"
}
(If you're using Yarn, use "resolutions" instead of "overrides".)