Inefficient Regular Expression Complexity in chalk/ansi-regex

[ThomasLarge]

Are you certain it's a bug?

• Yes, it looks like a bug

Is the issue caused by a plugin?

• It is not a plugin issue

Are you using the latest version?

• Yes, I'm using the latest version

Is there an existing issue for this?

• I have searched existing issues, it hasn't been reported yet

Issue description

The latest version of the package has the following vulnerability

ansi-regex

patched in 5.0.1 and 6.0.1

GHSA-93q8-gq69-wqmw

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

N/A

Environment information

Serverless: Running "serverless" installed locally (in service node_modules)
Framework Core: 2.64.1 (local)
Plugin: 5.5.0
SDK: 4.3.0
Components: 3.17.1

[medikoo]

@ThomasLarge You've checked that you're using the latest version, while Environment information you've pasted shows otherwise

[ThomasLarge]

@medikoo sorry about that I have updated the above and here is the config, I copied the wrong one!

Serverless: Running "serverless" installed locally (in service node_modules)
Framework Core: 2.64.1 (local)
Plugin: 5.5.0
SDK: 4.3.0
Components: 3.17.1

[medikoo]

@ThomasLarge thanks for report.

As I investigated, ansi-regex at versions lower than v5, is loaded deeply via following dependencies:

• @serverless/cli(strip-ansi@6) dependency on it will be removed in v3 release of Framework (in context of Externalize Serverless Components CLI #9855)
• @serverless/components (@serverless/platform-client-china@2 -> @serverless/utils-china@1 -> kafka-node@5 -> snappy@6 -> prebuild-install@5 -> npmlog@4 -> gauge@2 -> strip-ansi@3) - dependency on it will be removed in v3 release of Framework (in context of Externalize Serverless Components CLI #9855)
• @serverless/utils (log-node@8 -> cli-sprintf-format@1 -> cli-color@1) -> Here it's a question of upgrading cli-sprintf-format so it uses latest version of cli-color, we have ability to update that
• boxen (wrap-ansi@7 -> has-ansi@4), as latest major of boxen is ESM only, we will have to ditch/replace this dependency
• tabtab (inquirer@6 -> strip-ansi@5) - This dependency seems no longer maintained. So we either should fork it, or consider dropping this functionality (handled at Consider dropping autocomplete (tab tab) support #8473)

[vicary]

@medikoo Shall we expect the security warning to go away only after v3 launch and users' migration? i.e. No back port in v2?

[medikoo]

@medikoo Shall we expect the security warning to go away only after v3 launch and users' migration? i.e. No back port in v2?

Yes, it should be fixed in v3, which will have dropped @serverless/cli and @serverless/components dependencies.
Any back port to v2 is highly unlikely

[d-fay]

I'd just like to clarify that the ansi-regex vulnerability is still not patched in Serverless v3 beta? Based on this discussion my understanding is that issues #9855 and #8473 need to be addressed before sls-v3 will no longer report the ansi-regex vulnerability issue.

[medikoo]

@d-fay I've outlined problematic parts in above comment, and yes it still have not been addressed. We'll do our best to clear it before v3.0.0 release

[medikoo]

Closing as v3 pre-release (which can be installed via npm install serverless@pre-3) has that vulnerability cleared.

Public v3.0.0 release will be issued by end of this month