CVE-2021-3807 Resolution #5

fredkilbourn · 2021-11-16T18:41:29Z

Inefficient Regular Expression Complexity in chalk/ansi-regex
ansi-regex is vulnerable to Inefficient Regular Expression Complexity

GHSA-93q8-gq69-wqmw

This is coming from upstream but the fixes are just now reaching this level:

├ @discordjs/node-pre-gyp@0.4.2
└─┬ npmlog@5.0.1
  └─┬ gauge@3.0.1
    ├─┬ string-width@2.1.1
    │ └── strip-ansi@4.0.0 deduped
    ├─┬ strip-ansi@4.0.0
    │ └── ansi-regex@3.0.0
    └─┬ wide-align@1.1.5
      └── string-width@2.1.1 deduped

npmlog v5 is vulnerable, but npmlog v6 is now using the fixed upstream packages and is no longer vulnerable.

This commit in https://github.com/mapbox/node-pre-gyp now starts using npmlog v6: mapbox@ef8f171

I don't know if you guys are forking from main or waiting for release tags, but you should be able to integrate this fix now/soon.

The text was updated successfully, but these errors were encountered:

fredkilbourn · 2021-11-16T18:43:31Z

Related upstream issue: mapbox#620

fredkilbourn · 2021-11-16T19:03:15Z

@mapbox/node-pre-gyp@1.0.7 is now published which includes npmlog@6

mapbox#620 (comment)

fredkilbourn · 2021-12-01T15:18:19Z

2 week bump

fredkilbourn added the bug Something isn't working label Nov 16, 2021

fredkilbourn mentioned this issue Nov 16, 2021

Update of dependent package "@discordjs/opus" amishshah/prism-media#92

Closed

samarmeena mentioned this issue Nov 20, 2021

fix: CVE-2021-3807 #6

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-3807 Resolution #5

CVE-2021-3807 Resolution #5

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Dec 1, 2021

CVE-2021-3807 Resolution #5

CVE-2021-3807 Resolution #5

Comments

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Nov 16, 2021

fredkilbourn commented Dec 1, 2021