Closed michaelpinnell closed 2 years ago
It's too soon to be dropping Node.js 14, which upgrading npmlog would require.
The CVE seems low severity in this context. I'm happy to be proven wrong, in which case I'd suggest instead replacing npmlog with something simpler.
Can we just manually set "ansi-regex": "^5.0.1"
?
@alitoufighi Yes, you can: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
@lovell @mceachen Continuing from https://github.com/prebuild/prebuild-install/pull/180: there's no benefit to npmlog
anymore. We mostly have info
level logs, and npm >= 7 swallows output on success, so a simple console.error(...)
is really all we need here IMO.
Recently npmlog released a new version (https://github.com/npm/npmlog/pull/84) resolving among other things vulnerabilities in underlying dependencies (relating to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807). So I wanted to see if there was an effort to update npmlog in this package.