Security vulnerability in ansi-regex@5.0.0

[Rudy-Hentzen]

I'm submitting this issue for the package(s):

• [x] configuration-validation

I'm submitting a:

• [ ] Bug report
• [ ] Feature request
• [x] Other (Describe below)

Current behavior

Snyk has reported a critical vulnerability in the @okta/configuration-validation package. The path to the vulnerability is @okta/configuration-validation@1.0.0 › @okta/okta-auth-js@4.9.2 › tsd@0.14.0 › eslint-formatter-pretty@4.1.0 › string-width@4.2.2 › strip-ansi@6.0.0 › ansi-regex@5.0.0

The vulnerable dependency is ansi-regex@5.0.0 and bumping to either ansi-regex@6.0.1, @5.0.1 will resolve the vulnerability.

More information of the exploits can be found in the following links

• CWE-400
• CVE-2021-3807
• CVSS 7.5 HIGH
• SNYK-JS-ANSIREGEX-1583908

Expected behavior

The vulnerability is resolved

Minimal reproduction of the problem with instructions

Hopefully the vulnerability reports have enough information 🤞

Extra information about the use case/user story you are trying to implement

Environment

• Package Version: @okta/configuration-validation@1.0.0
• Browser: N/A
• OS: N/A
• Node version (node -v): 12
• Other:

[denysoblohin-okta]

Thanks for the report. Vulnerability comes from tsd which is dev-dependency for okta-auth-js, used just to check typings. Internal ref: OKTA-454153

[Rudy-Hentzen]

Thanks @denysoblohin-okta for getting back so quickly 🙂. Is there a link to your internal reference and are there plans to resolve it? Totally understand that it is a dev dependency, however, it would be nice not to have it :)