Snyk ReDoS issue in ansi-regex nested dependency

Question

Snyk ReDoS issue in ansi-regex nested dependency

Pradeep976 opened this issue 2 years ago · 4 comments

Describe the bug
My Snyk Dashboard shows that this package has a high level security issue in one of the packages that is installed by the dependencies of this package,

The problem is with the package ansi-regex@2.1.1 which causes Regular Expression Denial of Service ( REDOS ), this issue in fixed in the package ansi-regex 3.0.1

Can you please make use of the latest packages in order to solve this issue
https://user-images.githubusercontent.com/61454285/191446241-eadee963-6206-424d-9b67-dfd4eb5e7a84.png

Expected Behavior
No issues in Snyk

Current Behavior
1 High issue reported in snyk

Reproduction Steps
When running our external Snyk pipeline this issue is reported in the Snyk dashboard

Possible Solution
No response

Additional Information/Context
No response

SDK version used
1.15.5

Environment details (OS name and version, etc.)
Mac OS Monterey 12.4

Answer 1 · 2022-12-22T20:18:06.000Z

Using the same response to both this and #391

Upgrading cmake-js to the lastest major version is essentially a large bump to our minimum node version (10 ->14). Cmake-js 7 will not run on less than node 14 and it's not a good experience to require a version of node (to build) beyond what the actual baseline is. We will look into what the proper procedure should be for updating our node baseline to 14, but under normal circumstances it's something that needs a decent amount of advance notice to users.

While "there's no vulnerability" is not something a downstream user should ever rely on, in this case, the inputs that are fed into the potentially vulnerable code are 100% under our control (the repo source) and so while the general vulnerability is real, there is not a cause for alarm with applications using the CRT at the present moment.

Answer 2 · 2023-04-13T17:23:40.000Z

Upgrading cmake-js to the lastest major version is essentially a large bump to our minimum node version (10 ->14).

Why not release a major version, with the security fix and bump of min node version?

Answer 3 · 2023-04-23T03:15:46.000Z

Having looked into this further, we have no near-term plans to do either a major version bump or a minimum node version bump. Either have the potential to significantly disrupt users.

Other options are potentially available (#421) but are also currently on hold.

Answer 4 · 2023-11-06T18:02:21.000Z

Cmake-js has been updated as of v1.19.0