CVE-2021-3807: Inefficient Regular Expression Complexity in chalk/ansi-regex

discordjs / voice

Implementation of the Discord Voice API for discord.js and other JS/TS libraries

Apache License 2.0

328 stars 112 forks source link

CVE-2021-3807: Inefficient Regular Expression Complexity in chalk/ansi-regex #208

Closed fredkilbourn closed 2 years ago

fredkilbourn commented 2 years ago

Inefficient Regular Expression Complexity in chalk/ansi-regex ansi-regex is vulnerable to Inefficient Regular Expression Complexity

https://github.com/advisories/GHSA-93q8-gq69-wqmw

@discordjs/voice@0.6.0 requires ansi-regex@^3.0.0 via a transitive dependency on strip-ansi@4.0.0

Need to update dependencies to non-vulnerable versions to resolve. This is triggering dependabot alerts on my repo due to including this project.

fredkilbourn commented 2 years ago

Updating ansi-regex to v5.0.1 https://github.com/chalk/ansi-regex/releases/tag/v5.0.1 will resolve this vulnerability.

fredkilbourn commented 2 years ago

Or https://github.com/chalk/ansi-regex/releases/tag/v6.0.1 if you're comfortable with it changing to an ESM module.

fredkilbourn commented 2 years ago

bump?

samarmeena commented 2 years ago

@fredkilbourn based on package info https://github.com/discordjs/voice/blob/main/package-lock.json#L14275

the dep, which had issue may patched that already. this is no longer a valid issue. Thank you.

fredkilbourn commented 2 years ago

Actually yes it seems to be coming from a transitive dependency through prism-media to https://github.com/discordjs/opus and beyond. I'll close this one here and try and go deeper to where it can be fixed.