Closed akaraman85 closed 2 years ago
Just found this repository while trying to fix an issue with vulnerable packages.
Currently string-width@^4.0.0 is dependent on strip-ansi@^3.0.1
In fact, this is not entirely true.
As I see, version 0.6.0
of this package has "string-width": "^4.2.0"
in its dependencies.
https://github.com/cli-table/cli-table3/blob/25159968fc39f421b60a4265c3f7ad0bb646d0fb/package.json#L15-L18
And the vulnerable ansi-regex
package has been fixed in string-width@4.2.3
.
Our problem (like everyone who found this issue) is that our dependencies use an older version of cli-table3@^0.5.0
, which is still vulnerable.
Therefore, this problem should be addressed to the parent package that still uses cli-table3@^0.5.0
in its dependencies.
Hi, I have the same issue. aquasec/trivy
detects this a vulnerability, when using docker image node:16-alpine3.14
. Any progress on this ?
as @StudioMaX has already mentioned above, this needs to be fixed in the packages that still use an old version of cli-table3
Ah my bad, Thanks for the fast reply! :)
I encountered this security vulnerability. I installed by mistake npm as a package in my project.
The installed npm had the newest version ^8.3.0
.
This package is a dependency of npm with version ^0.6.0
. At this version, string-width is a dependency with version ^4.2.0
.
String-width has dependency strip-ansi ^6.0.0
. Strip-ansi has dependency ansi-regex with version ^5.0.0
.
If we look at Snyk, we see that ansi-regex has a vulnerability in version 5.0.0
. Only backported 5.0.1
and 6.0.1
don't contain this vulnerability.
Am I wrong or not? I don't think so, as npm is using the newest version of this package.
^5.0.0
means that 5.0.1
is compatible
The caret means: "Install latest compatible version", which will eventually install latest 5.x.x version, meaning it should install 5.0.1 (without vulnerability) and not install 6.0.0 version. Yes, you are right, but I dont know why then npm installed one of the vulnerable versions.
Thanks for the reply, it's clear that there's no problem in this package.
Currently string-width@^4.0.0 is dependent on strip-ansi@^3.0.1,. which has a dependency on a vulnerable version of ansi-regex. The vulnerability is only fixed in ansi-regex >6.0.0, https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
Vulnerability link - https://snyk.io/vuln/npm:ansi-regex