Fix potential ReDoS (#37) #47
Conversation
This is a backport of chalk@8d1d7cd the test suite on the 3.0.0 branch is broken but I've manually verified that no additional tests are broken and that this patch fixes the REDOS
|
As this is targeting a "non-existent" branch built on top of v3.0.0 you will need to create a new branch to target this PR. This can be easily done via git checkout v3.0.0 -b backport/v3 |
|
Please see #46 (comment) - multiple PRs are not necessary, I'm able to run |
|
@Qix- the commit does not land cleanly of v3 and require me to manually backport hence two PRS |
|
@Qix- thanks again for landing this on the v4.x branch. Would you be open to willing to land this and cut a new version of v3.x as well? fwiw the npm CLI itself is affected by this one |
|
PR to update the GHSA github/advisory-database#160 |
|
Looks like NIST has also updated the CVE, received an email from them today. The data looks a bit weird but I'll wait 24 hours for it to fully propagate. Assuming it updates correctly there should be no more automated warning about ansi-regex anymore from any tools 🎉 https://nvd.nist.gov/vuln/detail/CVE-2021-3807#match-7770592 |
|
Thanks again @MylesBorins! Very much appreciated :) |
|
team work 🥳 |
This is a backport of 8d1d7cd
the test suite on the 3.0.0 branch is broken but I've manually verified
that no additional tests are broken and that this patch fixes the REDOS