Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to update nested package ansi-regex for node-sass, when npm audit fix / update / shrinkwrap manual alteration don't work?

There is a full breakdown on npm audit below.

So far we have tried npm audit fix with depth, we have tried to shrinkwrap and manually change the relevant version numbers to the GitHub suggested version fixed (6.0.1).

npm install resets the packages to 5.0.1 even after manual deletion, re installation etc.

Output of npm audit below.

     ───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > string-width > strip-ansi > │
    │               │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > string-width >      │
    │               │ strip-ansi > ansi-regex                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > wrap-ansi >         │
    │               │ string-width > strip-ansi > ansi-regex                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘

How do we update this bested dependency correctly to avoid npm audit issues?

like image 232
Cheetara Avatar asked Dec 22 '22 15:12

Cheetara


2 Answers

Honestly, your best path is to choose not to worry about this. node-sass is presumably a development dependency, not something you are shipping to users. You're not going to accidentally manage to include a string that causes ansi-regex to run inefficiently. And even if you did, that's not going to take down your server. It's going to make your build pipeline take longer than you might like.

At the time of this writing, a clean install of node-sass (latest version is 6.0.1) with no other dependencies still results in the vulnerable ansi-regex being installed. So you'd have to engage in some special shenanigans to get things fixed. While those shenanigans may be worth it for something that installs a vulnerability on your production server, doing so in this case would probably mean applying a lot of effort to create a potentially-brittle fix for something that is a non-issue.

So I strongly recommend simply waiting for the next version of node-sass (which will be one of 6.0.2, 6.1.0, or 7.0.0) and hope that it has the issue fixed, and don't worry about it much if it doesn't.

like image 55
Trott Avatar answered Dec 31 '22 01:12

Trott


You can use the npm-force-resolutions package in a preinstall script in your package.json. From the docs:

This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency)

Here's exactly what fixed the issue for me (after days of bashing my head against the wall):

In package.json:

...
"scripts": {
  "preinstall": "npx npm-force-resolutions"
},
"resolutions": {
  "ansi-regex": "5.0.1"
},
...

Then npm i should install with no vulnerabilities.

like image 45
NickH Avatar answered Dec 31 '22 01:12

NickH