There is a full breakdown on npm audit
below.
So far we have tried npm audit fix
with depth, we have tried to shrinkwrap and manually change the relevant version numbers to the GitHub suggested version fixed (6.0.1).
npm install resets the packages to 5.0.1 even after manual deletion, re installation etc.
Output of npm audit below.
───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > string-width > strip-ansi > │
│ │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > string-width > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > wrap-ansi > │
│ │ string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
How do we update this bested dependency correctly to avoid npm audit issues?
Honestly, your best path is to choose not to worry about this. node-sass
is presumably a development dependency, not something you are shipping to users. You're not going to accidentally manage to include a string that causes ansi-regex to run inefficiently. And even if you did, that's not going to take down your server. It's going to make your build pipeline take longer than you might like.
At the time of this writing, a clean install of node-sass
(latest version is 6.0.1) with no other dependencies still results in the vulnerable ansi-regex
being installed. So you'd have to engage in some special shenanigans to get things fixed. While those shenanigans may be worth it for something that installs a vulnerability on your production server, doing so in this case would probably mean applying a lot of effort to create a potentially-brittle fix for something that is a non-issue.
So I strongly recommend simply waiting for the next version of node-sass
(which will be one of 6.0.2, 6.1.0, or 7.0.0) and hope that it has the issue fixed, and don't worry about it much if it doesn't.
You can use the npm-force-resolutions package in a preinstall
script in your package.json
. From the docs:
This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency)
Here's exactly what fixed the issue for me (after days of bashing my head against the wall):
In package.json
:
...
"scripts": {
"preinstall": "npx npm-force-resolutions"
},
"resolutions": {
"ansi-regex": "5.0.1"
},
...
Then npm i
should install with no vulnerabilities.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With