The issue has been closed
The dependencies from this package that use out of date versions that I see are:
| -- strip-ansi@6.0.1 | -- ansi-regex@5.0.1
Fix version is 6.0.1.
Team Can you please check this
As I have other packages they are also using strip-ansi version 6.0.1. As strip-anis version 7.0 using ESM and their pacakges
using CJS so it is difficult to update strip-ansi to version 7.
It would be great if strip-ansi@6.0.1 update their ansi-regex to version 6.0.1.
Do you pass unsanitized, untrusted user input into strip-ansi?
@Qix- No, we do not pass unsanitized user input. But our pipeline is failing due to this REDOS vulnerability.
You're not affected then. This isn't a high severity vulnerability, the researchers have been pretty aggressive in their scoring. If you can ignore it, that's probably best. It's an edge case and requires a lot of untrusted input to exploit.
That being said, I will look into backporting since the ESM change was the latest major I think (I need to double check) which right now is the only exception by which I'm interested in backporting. Give me a little bit though, I can't guarantee it'll be done today.
posted by prashant93 over 3 years ago 
These redos "vulnerabilities" need to stop. See this blog article: https://overreacted.io/npm-audit-broken-by-design/.
While @Qix- is right (it can be ignored), we are numerous with a CI pipeline analyzing vulns and it's always best to squash this instead of adding an exception. Note that for me strip-ansi comes from eslint which is an extremely popular package (20M/weekly dl) so your fix will be appreciated by many ;)
Cheers and thanks for your work!
it's always best to squash this instead of adding an exception
If the vulnerability is still present in a recent version, then I agree with you. In this case, however, it is not. You should push eslint to update, or update eslint if you haven't already (assuming eslint has already updated).
I agree entirely with Dan Abramov here - the security audits in npm are also broken. It's not the first time npm rushed something out the door (package-lock.json was a nightmare when it was released and I'd pretty firmly argue it has absolutely zero value).
Like I said before, I'll look into backporting due to the ESM shift, but as it's not an immediate security concern and I've been swamped with work I don't know when I'll get to it.
You should push eslint to update
Indeed, I thought I had the latest version but I'm two major versions behind! That's what you get when you don't update your JS dependencies for two days :p
IssueHunt