Security vulnerability with string-width dependency

cli-table / cli-table3

Pretty unicode tables for the command line

MIT License

530 stars 44 forks source link

Security vulnerability with string-width dependency #244

Closed akaraman85 closed 2 years ago

akaraman85 commented 2 years ago

Currently string-width@^4.0.0 is dependent on strip-ansi@^3.0.1,. which has a dependency on a vulnerable version of ansi-regex. The vulnerability is only fixed in ansi-regex >6.0.0, https://github.com/chalk/ansi-regex/releases/tag/v6.0.1

Vulnerability link - https://snyk.io/vuln/npm:ansi-regex

StudioMaX commented 2 years ago

Just found this repository while trying to fix an issue with vulnerable packages.

Currently string-width@^4.0.0 is dependent on strip-ansi@^3.0.1

In fact, this is not entirely true. As I see, version 0.6.0 of this package has "string-width": "^4.2.0" in its dependencies. https://github.com/cli-table/cli-table3/blob/25159968fc39f421b60a4265c3f7ad0bb646d0fb/package.json#L15-L18 And the vulnerable ansi-regex package has been fixed in string-width@4.2.3.

Our problem (like everyone who found this issue) is that our dependencies use an older version of cli-table3@^0.5.0, which is still vulnerable. Therefore, this problem should be addressed to the parent package that still uses cli-table3@^0.5.0 in its dependencies.

skaugvoll commented 2 years ago

Hi, I have the same issue. aquasec/trivy detects this a vulnerability, when using docker image node:16-alpine3.14. Any progress on this ?

Turbo87 commented 2 years ago

as @StudioMaX has already mentioned above, this needs to be fixed in the packages that still use an old version of cli-table3

skaugvoll commented 2 years ago

Ah my bad, Thanks for the fast reply! :)

choutkamartin commented 2 years ago

I encountered this security vulnerability. I installed by mistake npm as a package in my project.

The installed npm had the newest version ^8.3.0. This package is a dependency of npm with version ^0.6.0. At this version, string-width is a dependency with version ^4.2.0.

String-width has dependency strip-ansi ^6.0.0. Strip-ansi has dependency ansi-regex with version ^5.0.0.

If we look at Snyk, we see that ansi-regex has a vulnerability in version 5.0.0. Only backported 5.0.1 and 6.0.1 don't contain this vulnerability.

Am I wrong or not? I don't think so, as npm is using the newest version of this package.

Turbo87 commented 2 years ago

^5.0.0 means that 5.0.1 is compatible

choutkamartin commented 2 years ago

The caret means: "Install latest compatible version", which will eventually install latest 5.x.x version, meaning it should install 5.0.1 (without vulnerability) and not install 6.0.0 version. Yes, you are right, but I dont know why then npm installed one of the vulnerable versions.

Thanks for the reply, it's clear that there's no problem in this package.