Dependency update

[opravil-jan]

Hi,
can you please update string-width to latest version, because of the vulnerability, please?

Thanks
John

[albertyw]

If you're referring to

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/wide-align/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/wide-align/node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/wide-align/node_modules/string-width

This is because you're using an older version of wide-align. The most recent version of this package (v1.1.5) doesn't report any vulnerabilities. You can check for yourself if you clone the repository, delete the .npmrc to allow generation of a package-lock.json, install dependencies with npm install, and run npm audit.

On my system, it seems I had an old version of mocha which was loading an old version of wide-align which still had the above vulnerability.

[kjmph]

Using wide-align directly works with no errors. However, the wide-align that gets included by gauge (a dependency of npm) ends up with a transitive dependency on older versions of ansi-regex. I noticed that one can rebuild package-lock.json for npm, and wide-align no longer reports error.. yet this project shows up at the top of the list with the npm's currently committed package-lock.json.