[Bug]: vulnerabilities in the dependencies

instana / nodejs

Node.js in-process collectors for Instana

MIT License

69 stars 37 forks source link

[Bug]: vulnerabilities in the dependencies #401

Closed sylarwang closed 3 years ago

sylarwang commented 3 years ago

Problem Description

https://github.com/advisories/GHSA-93q8-gq69-wqmw Package: ansi-regex Dependency of: @instana/collector
Path: @instana/collector > @instana/autoprofile > node-gyp > npmlog > gauge > wide-align > string-width > strip-ansi > ansi-regex

Short, Self Contained Example

No response

Node.js Version

v14.16.1

package.json

{}

package-lock.json

{}

basti1302 commented 3 years ago

Thanks for the report.

See https://github.com/instana/nodejs/pull/400. This particular dependency is removed in commit https://github.com/instana/nodejs/pull/400/commits/0427eed46353d3ac43d7f3ae8181997e6661ff47. A new package version without that dependency will be released soon.

Please also take a look at the explanation in the commit comment of https://github.com/instana/nodejs/pull/400/commits/e6e2f312ec2ad127f3d7e93beceee91fda6cdf24 that points out why blindly creating bug reports like this is not appropriate.