Resolve vulnerabilities in dependencies (npmlog>gauge>ansi-regex)

[michaelpinnell]

Recently npmlog released a new version (https://github.com/npm/npmlog/pull/84) resolving among other things vulnerabilities in underlying dependencies (relating to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807). So I wanted to see if there was an effort to update npmlog in this package.

[vweevers]

It's too soon to be dropping Node.js 14, which upgrading npmlog would require.

The CVE seems low severity in this context. I'm happy to be proven wrong, in which case I'd suggest instead replacing npmlog with something simpler.

[alitoufighi]

Can we just manually set "ansi-regex": "^5.0.1"?

[vweevers]

@alitoufighi Yes, you can: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

[vweevers]

@lovell @mceachen Continuing from https://github.com/prebuild/prebuild-install/pull/180: there's no benefit to npmlog anymore. We mostly have info level logs, and npm >= 7 swallows output on success, so a simple console.error(...) is really all we need here IMO.