Closed joshuaauerbachwatson closed 2 years ago
Looking at the brief details in the provided link, the description is "ansi-regex is vulnerable to Inefficient Regular Expression Complexity" and advisory is still processing. The linked fix https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 and https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/ suggest we are not likely to be impacted by this given the way this library is used.
Ok. Sounds like we tolerate and ignore for the present. We can either close this issue or leave it open as a reminder, up to you.
I'm closing this because I've meanwhile discovered that I can eliminate vulnerabilities in the upstream consumer (nimbella-cli
in this case) by using the "overrides":
object in package.json
. This requires npm
8.3 or later, which comes with node
16.x. But, we are now standardizing on that, so we can use this technique.
I'm having trouble eliminating some moderate severity vulnerabilities from
nim
. Actually, it's really just one vulnerability: https://github.com/advisories/GHSA-93q8-gq69-wqmw but we are hit with it by many different dependency paths.I checked whether we could solve this by rebasing on the latest code from Adobe but that code has the vulnerability also (it also has many other vulnerabilities but they are in its dev dependencies only and I'm ignoring them).
Opening this issue for brief discussion of whether
Looking for some guidance from @rabbah .