Update of dependent package "@discordjs/opus"

[kokarare1212]

Issue:

It uses the dependency package "ansi-regex" (GHSA-93q8-gq69-wqmw),
which is vulnerable due to an outdated version of the dependency package "@discordjs/opus".
The version of the dependent package "@discordjs/opus" needs to be updated.

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width

`-- @discordjs/opus@0.5.3
  `-- @discordjs/node-pre-gyp@0.4.2
    `-- npmlog@5.0.1
      `-- gauge@3.0.1
        `-- strip-ansi@4.0.0
          `-- ansi-regex@3.0.0

Further details:

• Operating System: Windows 11 (22000.318)
• Node.js version: 16.13.0
• Commit I'm using: https://github.com/amishshah/prism-media/tree/v1.3.2

[fredkilbourn]

This issue is further upstream and needs to be fixed first: discordjs/node-pre-gyp#5

[fredkilbourn]

The current versions of @discordjs/opus are also vulnerable. Once @discordjs/node-pre-gyp is fixed @discordjs/opus will also need to reference that fix. Once that happens prism-media can pull in the update.

[kokarare1212]

Yes, I understand.
I will wait until a fixed version is released.

[darahask]

@fredkilbourn any update on this issue?

[fredkilbourn]

I think they fixed it a while ago...

[sasjafor]

What exactly is this waiting on? Locally running npm i with @discordjs/opus updated to 0.8.0 seems to work. Can I create a PR to get this finally resolved?

[fredkilbourn]

This issue is referencing an issue from last year, not related to the CVE from this month.

[fredkilbourn]

Opened an issue for the new CVE: #105

This issue #92 should be closed.

[amishshah]

Fixed in v1.3.4