Upgrade dependency to fix Vulnerability CVE-2021-3807

[deepakvk]

There's a Regular Expression Denial of Service vulnerability in the ansi-regex package in versions < 6.0.1:
https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
https://nvd.nist.gov/vuln/detail/CVE-2021-3807

We are using mocha@^6.2.3 which has the affected vulnerability modules as yargs, wide-align and string-width. Currently our project only support node 8 engine.

1. wide-align@1.1.3 -> string-width@2.1.1 -> strip-ansi@4.0.0 -> ansi-regex@3.0.0
2. yargs@13.3.2 -> cliui@5.0.0 -> strip-ansi@5.2.0 -> ansi-regex@4.1.0
3. string-width@3.1.0 -> strip-ansi@5.2.0 -> ansi-regex@4.1.0

Would it be possible to update yargs dependency to use a major version like ^15.0.0 and other two affected modules which has the fixed version of ansi-regex?

Fixed versions are https://github.com/chalk/ansi-regex/releases/tag/v6.0.1, https://github.com/chalk/ansi-regex/releases/tag/v5.0.1

[juergba]

@deepakvk I don't know how big the effort would be to make those upgrades, especially with yargs. Most probably I'm not going to find out for a few reasons:

• most likely there is no ReDoS vulnerability. Mocha is a test framework, a devDependency, a CLI tool without any direct user input and out off server context, see also your links above: You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools. Please explain how a supposed ReDoS attack on Mocha would take place.
• our recent version is v9.2.1, we normally do not follow a LTS strategy
• Node v8 has been EOL since Dec-2019
• btw string-width is not a direct dependency of Mocha

So IMO this is a bogus vulnerabilty message (Mocha's point of view only), no matter of its origin Github, Snyk, npm or whatever.
And I'm not willing to invest my time in solving such fake vulnerability issues.