Security vulnerability in transitive ansi-regex dependency

[trygveaa]

One of the dependencies here is has-ansi: ^4.0.1. This in turn depends on ansi-regex: ^4.1.0 which recently got a security vulnerability: GHSA-93q8-gq69-wqmw

Could you please upgrade has-ansi to 5.0.1 which resolves it?

[medikoo]

@trygveaa Thanks for reporting

The problem with has-ansi@5 is that it drops support for Node.js v10 (and log-node at v8 is still obliged to support it), and more importantly, it's just an ESM module, which from the CJS context can be retrieved only asynchronously.

Nonetheless we probably copy has-ansi logic so it's inline to mitigate that issue

[trygveaa]

Ah, okay. I suppose we could ask for a backport to has-ansi 4.x, they did a backport of ansi-regex to a version before changing to ESM.

[medikoo]

Ah, okay. I suppose we could ask for a backport to has-ansi 4.x,

@trygveaa that feels as great idea. As has-ansi 5x introduces a big shift (different modules format)