Open benjimin opened 2 years ago
Seems to have been fixed upstream (with a major/breaking release of gauge, but whatevs). Our image presently contains only version 5.0.1 of ansi-regex
, so npm audit
is now happy.
But, looks like CVE scanner continuing to fail because of docker cache (integrated into github action) continuing to reuse old version. (This is why --no-cache
is important..)
Updated scan to pull latest image, rather than build from scratch. I think this is more appropriate (regularly scan the deployed image, which may drift from a fresh re-build) and faster.
Still failing scan because:
libc
vulnerability
Currently the automatic vulnerability checker is issuing an alert regarding
ansi-regex < 5.0.1
.This is a node package (more motivation for #128);
canvas
requiresgauge
, and at present the latest version ofgauge
indirectly requires a vulnerable version ofansi-regex
. Attempted runningnpm audit fix
to no avail. Presumably need to wait for this to be fixed upstream: https://github.com/npm/gauge/issues/135Not expecting any security impact, because our use of node is to render an image from data generated by the application (not supplied by the untrusted end client).