Update vulnerable packages

[massongit]

#12

I update vulnerable packages.

[massongit]

snap-shot-it is also a vulnerable package.
However, I can not update it.

[azu]

nlp-pattern-match/packages/nlcst-pattern-match/package.json

Line 46 in 163fe35

"snap-shot-it": "^7.9.3",

snap-shot-it can be move to devDeps. It is only used in test.

[azu]

However, I can not update it.

Why?

[massongit]

snap-shot-it is already latest version and ansi-regex is not updated when I run yarn update.

[azu]

yarn upgrade can update yarn.lock.
It is useful for updating packages in semver range.
(This update does not affect library user)

[massongit]

I ran yarn upgrade but ansi-regex of snap-shot-it can not be updated.
I think that major verson of this package is old.

$ yarn upgrade
yarn upgrade v1.22.11
[1/4] 🔍  Resolving packages...
warning lerna > @lerna/bootstrap > read-package-tree@5.3.1: The functionality that this package provided is now in @npmcli/arborist
warning lerna > @lerna/version > temp-write > uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
warning lerna > @lerna/add > pacote > @npmcli/run-script > node-gyp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning lerna > @lerna/bootstrap > @lerna/run-lifecycle > npm-lifecycle > node-gyp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning lerna > @lerna/add > pacote > @npmcli/run-script > node-gyp > request > uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
warning lerna > @lerna/add > pacote > @npmcli/run-script > node-gyp > request > har-validator@5.1.5: this library is no longer supported
warning workspace-aggregator-d6954567-3115-46c2-8a27-81e06dbe0bac > match-test-replace > mocha > mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
warning workspace-aggregator-d6954567-3115-46c2-8a27-81e06dbe0bac > nlcst-pattern-match > snap-shot-it > snap-shot-compare > debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Rebuilding all packages...
success Saved lockfile.
success Saved 414 new dependencies.
info Direct dependencies
info All dependencies
├─ @babel/code-frame@7.16.7
├─ @babel/helper-validator-identifier@7.16.7
├─ @babel/highlight@7.16.10
├─ @bahmutov/data-driven@1.0.0
├─ @gar/promisify@1.1.3
├─ @hutson/parse-repository-url@3.0.2
├─ @lerna/add@4.0.0
├─ @lerna/changed@4.0.0
├─ @lerna/clean@4.0.0
├─ @lerna/cli@4.0.0
├─ @lerna/collect-uncommitted@4.0.0
├─ @lerna/conventional-commits@4.0.0
├─ @lerna/create@4.0.0
├─ @lerna/diff@4.0.0
├─ @lerna/exec@4.0.0
├─ @lerna/filter-packages@4.0.0
├─ @lerna/get-packed@4.0.0
├─ @lerna/github-client@4.0.0
├─ @lerna/gitlab-client@4.0.0
├─ @lerna/global-options@4.0.0
├─ @lerna/has-npm-version@4.0.0
├─ @lerna/import@4.0.0
├─ @lerna/info@4.0.0
├─ @lerna/init@4.0.0
├─ @lerna/link@4.0.0
├─ @lerna/list@4.0.0
├─ @lerna/log-packed@4.0.0
├─ @lerna/npm-dist-tag@4.0.0
├─ @lerna/npm-install@4.0.0
├─ @lerna/npm-publish@4.0.0
├─ @lerna/npm-run-script@4.0.0
├─ @lerna/pack-directory@4.0.0
├─ @lerna/project@4.0.0
├─ @lerna/publish@4.0.0
├─ @lerna/resolve-symlink@4.0.0
├─ @lerna/run@4.0.0
├─ @lerna/timer@4.0.0
├─ @lerna/write-log-file@4.0.0
├─ @nodelib/fs.scandir@2.1.5
├─ @nodelib/fs.stat@2.0.5
├─ @nodelib/fs.walk@1.2.8
├─ @npmcli/ci-detect@1.4.0
├─ @npmcli/fs@1.1.1
├─ @npmcli/git@2.1.0
├─ @npmcli/installed-package-contents@1.0.7
├─ @npmcli/move-file@1.1.2
├─ @npmcli/node-gyp@1.0.3
├─ @npmcli/run-script@1.8.6
├─ @octokit/auth-token@2.5.0
├─ @octokit/core@3.5.1
├─ @octokit/endpoint@6.0.12
├─ @octokit/graphql@4.8.0
├─ @octokit/openapi-types@11.2.0
├─ @octokit/plugin-enterprise-rest@6.0.1
├─ @octokit/plugin-paginate-rest@2.17.0
├─ @octokit/plugin-request-log@1.0.4
├─ @octokit/plugin-rest-endpoint-methods@5.13.0
├─ @octokit/request-error@2.1.0
├─ @octokit/rest@18.12.0
├─ @tootallnate/once@1.1.2
├─ @types/debug@0.0.30
├─ @types/minimatch@3.0.5
├─ @types/minimist@1.2.2
├─ @types/normalize-package-data@2.4.1
├─ @types/parse-json@4.0.0
├─ @types/unist@2.0.6
├─ add-stream@1.0.0
├─ aggregate-error@3.1.0
├─ ajv@6.12.6
├─ ansi-escapes@4.3.2
├─ aproba@1.2.0
├─ are-we-there-yet@1.1.7
├─ arg@4.1.3
├─ array-differ@3.0.0
├─ array-ify@1.0.0
├─ array-iterate@1.1.4
├─ arrify@1.0.1
├─ asap@2.0.6
├─ asn1@0.2.6
├─ async@2.6.3
├─ asynckit@0.4.0
├─ at-least-node@1.0.0
├─ aws-sign2@0.7.0
├─ aws4@1.11.0
├─ balanced-match@1.0.2
├─ bcrypt-pbkdf@1.0.2
├─ before-after-hook@2.2.2
├─ braces@3.0.2
├─ browser-stdout@1.3.1
├─ builtins@1.0.3
├─ byline@5.0.0
├─ byte-size@7.0.1
├─ cacache@15.3.0
├─ callsites@3.1.0
├─ camelcase-keys@6.2.2
├─ camelcase@5.3.1
├─ caseless@0.12.0
├─ chardet@0.7.0
├─ ci-info@2.0.0
├─ cities-list@1.0.3
├─ clean-stack@2.2.0
├─ cli-truncate@3.1.0
├─ cli-width@3.0.0
├─ cliui@7.0.4
├─ clone-deep@4.0.1
├─ clone@1.0.4
├─ cmd-shim@4.1.0
├─ code-point-at@1.1.0
├─ color-convert@2.0.1
├─ color-name@1.1.4
├─ combined-stream@1.0.8
├─ commander@8.3.0
├─ compare-func@2.0.0
├─ concat-map@0.0.1
├─ concat-stream@2.0.0
├─ config-chain@1.1.13
├─ console-control-strings@1.1.0
├─ conventional-changelog-angular@5.0.13
├─ conventional-changelog-core@4.2.4
├─ conventional-changelog-preset-loader@2.3.4
├─ conventional-changelog-writer@5.0.1
├─ conventional-recommended-bump@6.1.0
├─ core-util-is@1.0.3
├─ cosmiconfig@7.0.1
├─ cross-spawn@6.0.5
├─ dargs@7.0.0
├─ dashdash@1.14.1
├─ debug@4.3.3
├─ debuglog@1.0.1
├─ decamelize-keys@1.1.0
├─ decamelize@1.2.0
├─ decode-uri-component@0.2.0
├─ defaults@1.0.3
├─ delayed-stream@1.0.0
├─ delegates@1.0.0
├─ depd@1.1.2
├─ deprecation@2.3.1
├─ detect-indent@6.1.0
├─ dezalgo@1.0.3
├─ diff@3.5.0
├─ dir-glob@3.0.1
├─ disparity@3.0.0
├─ dot-prop@6.0.1
├─ doublearray@0.0.2
├─ duplexer@0.1.2
├─ eastasianwidth@0.2.0
├─ ecc-jsbn@0.1.2
├─ emoji-regex@8.0.0
├─ en-lexicon@1.0.11
├─ en-pos@1.0.16
├─ en-stemmer@1.0.3
├─ encoding@0.1.13
├─ envinfo@7.8.1
├─ err-code@2.0.3
├─ es-abstract@1.19.1
├─ es-to-primitive@1.2.1
├─ escalade@3.1.1
├─ escape-quotes@1.0.2
├─ estree-walker@0.5.2
├─ eventemitter3@4.0.7
├─ execa@5.1.1
├─ extend@3.0.2
├─ external-editor@3.1.0
├─ extsprintf@1.3.0
├─ fast-deep-equal@3.1.3
├─ fast-glob@3.2.11
├─ fast-json-stable-stringify@2.1.0
├─ fastq@1.13.0
├─ figures@3.2.0
├─ fill-range@7.0.1
├─ filter-obj@1.1.0
├─ find-up@4.1.0
├─ forever-agent@0.6.1
├─ form-data@2.3.3
├─ gauge@2.7.4
├─ get-caller-file@2.0.5
├─ get-pkg-repo@4.2.1
├─ get-port@5.1.1
├─ get-symbol-description@1.0.0
├─ getpass@0.1.7
├─ git-remote-origin-url@2.0.0
├─ git-up@4.0.5
├─ git-url-parse@11.6.0
├─ gitconfiglocal@1.0.0
├─ glob-parent@5.1.2
├─ growl@1.10.5
├─ handlebars@4.7.7
├─ har-schema@2.0.0
├─ har-validator@5.1.5
├─ hard-rejection@2.1.0
├─ has-ansi@2.0.0
├─ has-only@1.1.1
├─ has-unicode@2.0.1
├─ he@1.1.1
├─ hosted-git-info@4.1.0
├─ http-signature@1.2.0
├─ human-signals@2.1.0
├─ humanize-ms@1.2.1
├─ humannames@1.0.5
├─ iconv-lite@0.6.3
├─ ignore-walk@3.0.4
├─ ignore@5.2.0
├─ import-fresh@3.3.0
├─ import-local@3.1.0
├─ ini@1.3.8
├─ init-package-json@2.0.5
├─ inquirer@7.3.3
├─ internal-slot@1.0.3
├─ ip@1.1.5
├─ is-arrayish@0.2.1
├─ is-bigint@1.0.4
├─ is-boolean-object@1.1.2
├─ is-callable@1.2.4
├─ is-ci@2.0.0
├─ is-core-module@2.8.1
├─ is-date-object@1.0.5
├─ is-extglob@2.1.1
├─ is-glob@4.0.3
├─ is-negative-zero@2.0.2
├─ is-number-object@1.0.6
├─ is-number@7.0.0
├─ is-plain-obj@1.1.0
├─ is-regex@1.1.4
├─ is-shared-array-buffer@1.0.1
├─ is-string@1.0.7
├─ is-symbol@1.0.4
├─ is-text-path@1.0.1
├─ is-typedarray@1.0.0
├─ is-weakref@1.0.2
├─ isarray@1.0.0
├─ isobject@3.0.1
├─ isstream@0.1.2
├─ its-name@1.0.0
├─ js-tokens@4.0.0
├─ jsesc@2.5.2
├─ json-parse-better-errors@1.0.2
├─ json-schema-traverse@0.4.1
├─ json-schema@0.4.0
├─ json-stringify-safe@5.0.1
├─ jsonfile@6.1.0
├─ jsonparse@1.3.1
├─ JSONStream@1.3.5
├─ jsprim@1.4.2
├─ kind-of@6.0.3
├─ kuromoji@0.1.1
├─ kuromojin@1.5.1
├─ libnpmaccess@4.0.3
├─ libnpmpublish@4.0.2
├─ lilconfig@2.0.4
├─ lines-and-columns@1.2.4
├─ listr2@4.0.4
├─ locate-path@5.0.0
├─ lodash.ismatch@4.4.0
├─ lodash.template@4.5.0
├─ lodash.templatesettings@4.2.0
├─ lodash@4.17.21
├─ log-update@4.0.0
├─ make-error@1.3.6
├─ make-fetch-happen@9.1.0
├─ map-obj@1.0.1
├─ merge-stream@2.0.0
├─ merge2@1.4.1
├─ mime-db@1.51.0
├─ mime-types@2.1.34
├─ mimic-fn@2.1.0
├─ min-indent@1.0.1
├─ minimist-options@4.1.0
├─ minipass-sized@1.0.3
├─ mkdirp-infer-owner@2.0.0
├─ mkdirp@1.0.4
├─ modify-values@1.0.1
├─ mute-stream@0.0.8
├─ negotiator@0.6.3
├─ neo-async@2.6.2
├─ nice-try@1.0.5
├─ node-fetch@2.6.7
├─ node-gyp@5.1.1
├─ nopt@4.0.3
├─ normalize-path@1.0.0
├─ normalize-url@6.1.0
├─ npm-install-checks@4.0.0
├─ npm-lifecycle@3.1.5
├─ npm-pick-manifest@6.1.1
├─ npm-run-path@4.0.1
├─ number-is-nan@1.0.1
├─ oauth-sign@0.9.0
├─ object-assign@4.1.1
├─ object-inspect@1.12.0
├─ object.assign@4.1.2
├─ object.getownpropertydescriptors@2.1.3
├─ onetime@5.1.2
├─ os-homedir@1.0.2
├─ os-tmpdir@1.0.2
├─ osenv@0.1.5
├─ p-finally@1.0.0
├─ p-limit@2.3.0
├─ p-locate@4.1.0
├─ p-queue@6.6.2
├─ p-reduce@2.1.0
├─ p-timeout@3.2.0
├─ p-try@2.2.0
├─ parent-module@1.0.1
├─ parse-english@4.2.0
├─ parse-latin@4.3.0
├─ parse-path@4.0.3
├─ parse-url@6.0.0
├─ path-key@3.1.1
├─ path-parse@1.0.7
├─ performance-now@2.1.0
├─ picomatch@2.3.1
├─ pkg-dir@4.2.0
├─ process-nextick-args@2.0.1
├─ promzard@0.3.0
├─ proto-list@1.2.4
├─ psl@1.8.0
├─ punycode@2.1.1
├─ qs@6.5.3
├─ query-string@6.14.1
├─ queue-microtask@1.2.3
├─ quick-lru@4.0.1
├─ quote@0.4.0
├─ read-cmd-shim@2.0.0
├─ read-package-json@2.1.2
├─ read-package-tree@5.3.1
├─ read-pkg-up@3.0.0
├─ read@1.0.7
├─ readable-stream@3.6.0
├─ readdir-scoped-modules@1.1.0
├─ redent@3.0.0
├─ request@2.88.2
├─ require-directory@2.1.1
├─ resolve-cwd@3.0.0
├─ resolve@1.22.0
├─ restore-cursor@3.1.0
├─ retry@0.12.0
├─ reusify@1.0.4
├─ rfdc@1.3.0
├─ run-async@2.4.1
├─ run-parallel@1.2.0
├─ rxjs@7.5.4
├─ safe-buffer@5.2.1
├─ safer-buffer@2.1.2
├─ set-blocking@2.0.0
├─ shallow-clone@3.0.1
├─ shebang-command@1.2.0
├─ shebang-regex@1.0.0
├─ slice-ansi@5.0.0
├─ slide@1.1.6
├─ smart-buffer@4.2.0
├─ snap-shot-compare@3.0.0
├─ snap-shot-core@10.2.4
├─ snap-shot-it@7.9.6
├─ socks-proxy-agent@6.1.1
├─ socks@2.6.2
├─ source-map-support@0.5.21
├─ source-map@0.6.1
├─ spdx-correct@3.1.1
├─ spdx-exceptions@2.3.0
├─ split-on-first@1.1.0
├─ split@1.0.1
├─ sshpk@1.17.0
├─ strict-uri-encode@2.0.0
├─ string_decoder@1.3.0
├─ string-argv@0.3.1
├─ string.prototype.trimend@1.0.4
├─ string.prototype.trimstart@1.0.4
├─ strip-bom@4.0.0
├─ strip-final-newline@2.0.0
├─ strip-indent@2.0.0
├─ strong-log-transformer@2.1.0
├─ supports-color@7.2.0
├─ supports-preserve-symlinks-flag@1.0.0
├─ temp-dir@1.0.0
├─ text-extensions@1.9.0
├─ through@2.3.8
├─ tmp@0.0.33
├─ to-regex-range@5.0.1
├─ tough-cookie@2.5.0
├─ tr46@2.1.0
├─ trim-newlines@3.0.1
├─ tslib@2.3.1
├─ tunnel-agent@0.6.0
├─ tweetnacl@0.14.5
├─ typedarray-to-buffer@3.1.5
├─ typedarray@0.0.6
├─ uglify-js@3.15.1
├─ uid-number@0.0.6
├─ umask@1.1.0
├─ unbox-primitive@1.0.1
├─ unique-filename@1.1.1
├─ unique-slug@2.0.2
├─ unist-util-inspect@7.0.0
├─ unist-util-is@3.0.0
├─ unist-util-visit-parents@2.1.2
├─ unist-util-visit@1.4.1
├─ upath@2.0.1
├─ uri-js@4.4.1
├─ util-deprecate@1.0.2
├─ util-promisify@2.1.0
├─ variable-diff@1.1.0
├─ verror@1.10.0
├─ wcwidth@1.0.1
├─ webidl-conversions@6.1.0
├─ which-boxed-primitive@1.0.2
├─ which@1.3.1
├─ wide-align@1.1.5
├─ wordwrap@1.0.0
├─ write-file-atomic@3.0.3
├─ xtend@4.0.2
├─ y18n@5.0.8
├─ yaml@1.10.2
├─ yargs-parser@20.2.9
├─ yn@2.0.0
└─ zlibjs@0.2.0
✨  Done in 21.43s.

$ yarn why ansi-regex
yarn why v1.22.11
[1/4] 🤔  Why do we have the module "ansi-regex"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "ansi-regex@2.1.1"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - "workspace-aggregator-42645929-9c15-4d54-86f8-6323aa6fcc37" depends on it
   - Hoisted from "_project_#lerna#npmlog#gauge#strip-ansi#ansi-regex"
   - Hoisted from "_project_#nlcst-pattern-match#snap-shot-it#snap-shot-compare#variable-diff#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#nlcst-pattern-match#snap-shot-it#snap-shot-compare#variable-diff#chalk#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#ansi-regex@5.0.1"
info This module exists because "_project_#strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "snap-shot-compare#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#nlcst-pattern-match#snap-shot-it#snap-shot-compare#strip-ansi" depends on it
   - Hoisted from "_project_#nlcst-pattern-match#snap-shot-it#snap-shot-compare#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cli-truncate#ansi-regex@6.0.1"
info Reasons this module exists
   - "_project_#lint-staged#cli-truncate#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#lint-staged#cli-truncate#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
✨  Done in 0.24s.

[massongit]

I move snap-shot-it to devDependencies: 45d6560
Therefore, it seems that there is no problem when we use this package.