Closed mend-for-github-com[bot] closed 2 years ago
$ yarn why ansi-html
yarn why v1.22.17
[1/4] Why do we have the module "ansi-html"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ansi-html@0.0.7"
info Reasons this module exists
- "_project_#@osd#ui-framework#webpack-dev-server" depends on it
- Hoisted from "_project_#@osd#ui-framework#webpack-dev-server#ansi-html"
- Hoisted from "_project_#@osd#storybook#@storybook#react#@pmmmwh#react-refresh-webpack-plugin#ansi-html"
info Disk size without dependencies: "40KB"
info Disk size with unique dependencies: "40KB"
info Disk size with transitive dependencies: "40KB"
info Number of shared dependencies: 0
Done in 1.92s.
Need to upgrade webpack-dev-server
>4.1.1. That along with removing the storybook dependencies in #1171 will remove the ansi-html
dependency.
CVE-2021-23424 - High Severity Vulnerability
Vulnerable Library - ansi-html-0.0.7.tgz
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Dependency Hierarchy: - @osd/ui-framework-1.0.0.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - :x: **ansi-html-0.0.7.tgz** (Vulnerable Library)
Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a
Found in base branch: main
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1