Menu
I am having trouble resolving a ReDoS vulnerability identified by npm audit. My application has a nested sub-dependency ansi-html that is vulnerable to attack, but unfortunately, it seems that the maintainers have gone AWOL. As you can see in the comments section of that Github issue, to get around this problem, the community has made a fork of the repo called ansi-html-community located here, which addresses this vulnerability.
Thus, I would like to replace all nested references of ansi-html with ansi-html-community.
My normal strategy of using npm-force-resolutions does not seem to be able to override nested sub-dependencies with a different package altogether but rather only the same packages that are a different version number. I have researched this for several hours, but unfortunately, the only way I have found to fix this would appear to be with yarn, which I am now seriously considering using instead of npm. However, this is not ideal as our entire CI/CD pipeline is configured to use npm.
Does anyone know of any other way to accomplish nested sub-dependency package substitution/resolution without having to switch over to using yarn?
These are questions of interest that I was able to find, but unfortunately, they tend to only discuss methods to override package version number, not the package itself.
How do I override nested NPM dependency versions?
npm shrinkwrap (not ideal):npm - how to override a dependent package's dependencies?
430
If you're using npm : Run npm dedupe after installing packages to remove nested duplicates. You can try deleting your package-lock. json and do a fresh install.
Overrides. We can now specify an overrides property in our package. json that enforces the dependency version that is specified there. The changes can be as specific as we want and scoped, or we can make them generic.
My normal strategy of using npm-force-resolutions does not seem to be able to override nested sub-dependencies with a different package altogether but rather only the same packages that are a different version number.
Suppose your project relies on one dependency that depends on another dependency that again depends on another one just to add two numbers. In that case, countless things could go wrong. "npm overrides" give you more power over what's installed in your dependency tree.
Let's say one of your dependencies (1st level) relies on another dependency that includes outdated other dependencies (2nd level). There hasn't been an easy way to control nested dependency versions down the node_modules tree other than forking and fixing your first-level dependency.
Remove the nested dependency under the 'requires' section in package-lock.json Add the updated dependency under DevDependencies in package.json, so that modules that require it will still be able to access it. @user11153 's answer worked for me locally, but when trying to do a clean install (aka deleting node_modules ), I would get:
I figured it out. As of October 2021, the solution using npm-force-resolutions is actually very similar to how you would specify it using yarn. You just need to provide a link to the tarball where you would normally specify the overriding version number. Your resolutions section of package.json should look like this:
"resolutions": {
"ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
}
To find the link to the tarball, use the following command, modifying your registry as necessary:
npm view ansi-html-community dist.tarball --registry=https://registry.npmjs.org/
Also, note that for npm-force-resolutions to work when you run npm install, you will need a preinstall entry under the scripts section of package.json:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With