Closed jmoyano-koa closed 2 years ago
ansi-regex is used in dev dependencies. Don't see 3.0.0 or 4.1.0 in the tree tho. There is a transitive dependency with version 2.1.1 and the rest are resolving 5.0.1
❯ npm ls ansi-regex
kubernetes-external-secrets@8.5.0 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ @ibm-cloud/secrets-manager@0.1.1
│ └─┬ ibm-cloud-sdk-core@2.15.1
│ └─┬ expect@26.6.2
│ └─┬ jest-matcher-utils@26.6.2
│ └─┬ pretty-format@26.6.2
│ └── ansi-regex@5.0.1
├─┬ eslint@7.32.0
│ ├─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ └─┬ table@6.7.2
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
├─┬ mocha@8.4.0
│ ├─┬ wide-align@1.1.3
│ │ └─┬ string-width@1.0.2
│ │ └─┬ strip-ansi@3.0.1
│ │ └── ansi-regex@2.1.1
│ └─┬ yargs@16.2.0
│ ├─┬ cliui@7.0.4
│ │ ├─┬ strip-ansi@6.0.1
│ │ │ └── ansi-regex@5.0.1
│ │ └─┬ wrap-ansi@7.0.0
│ │ └─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ └─┬ string-width@4.2.3
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
├─┬ nodemon@2.0.13
│ └─┬ update-notifier@5.1.0
│ └─┬ boxen@5.1.2
│ ├─┬ ansi-align@3.0.1
│ │ └─┬ string-width@4.2.3
│ │ └─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ ├─┬ string-width@4.2.3
│ │ └─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ └─┬ widest-line@3.1.0
│ └─┬ string-width@4.2.3
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
└─┬ nyc@15.1.0
└─┬ yargs@15.4.1
└─┬ cliui@6.0.0
└─┬ strip-ansi@6.0.1
└── ansi-regex@5.0.1
for json-schema #891
8.5.1 released with bumped json-schema
Also see #864
Hi @Flydiverny,
thanks for solving the issue with json-schema. Related to ansi-regex libraries, both affected libraries are global from the alpine base image I think: "usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json","3.0.0" "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json","4.1.0"
Although I'm not able to find a non vulnerable version...
Kind regards,
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue was closed because it has been stalled for 30 days with no activity.
Hello,
current 8.5.0 has to High and Critical vulnerable dependencies as per our scans. See attached console output.
Vulnerable packages are in:
Is this deployment vulnerable. Has it been evaluated? Didn't found any issue or security advisory on this.