Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2038298: Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 #1410

Merged
merged 1 commit into from
May 2, 2022
Merged

Bug 2038298: Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 #1410

merged 1 commit into from
May 2, 2022

Conversation

mturley
Copy link
Collaborator

@mturley mturley commented May 2, 2022
edited
Loading

See GHSA-93q8-gq69-wqmw for vulnerability details.

Affected versions Patched versions
>= 6.0.0, < 6.0.1 6.0.1
>= 5.0.0, < 5.0.1 5.0.1
>= 4.0.0, < 4.1.1 4.1.1
>= 3.0.0, < 3.0.1 3.0.1

We depend on vulnerable versions [email protected], [email protected] and [email protected] via transitive dependencies of webpack-dev-server, node-sass, html-webpack-plugin, strip-ansi, pretty-format, yargs, cliui, wrap-ansi, wide-align and ansi-align (see yarn why output below).

This PR upgrades our lockfile to use the patched versions for each of these (3.0.1, 4.1.1, 5.0.1).

Related BZs:

$ yarn why ansi-regex
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "ansi-regex"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - Hoisted from "webpack-dev-server#strip-ansi#ansi-regex"
   - Hoisted from "node-sass#chalk#has-ansi#ansi-regex"
   - Hoisted from "node-sass#chalk#strip-ansi#ansi-regex"
   - Hoisted from "html-webpack-plugin#pretty-error#renderkid#strip-ansi#ansi-regex"
   - Hoisted from "node-sass#npmlog#gauge#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#[email protected]"
info This module exists because "strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "pretty-format#[email protected]"
info This module exists because "@types#jest#pretty-format" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "yargs#[email protected]"
info Reasons this module exists
   - "yargs#string-width#strip-ansi" depends on it
   - Hoisted from "yargs#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cliui#[email protected]"
info Reasons this module exists
   - "yargs#cliui#strip-ansi" depends on it
   - Hoisted from "yargs#cliui#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wrap-ansi#[email protected]"
info Reasons this module exists
   - "yargs#cliui#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "yargs#cliui#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wide-align#[email protected]"
info Reasons this module exists
   - "node-sass#npmlog#gauge#wide-align#string-width#strip-ansi" depends on it
   - Hoisted from "node-sass#npmlog#gauge#wide-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "ansi-align#[email protected]"
info Reasons this module exists
   - "nodemon#update-notifier#boxen#ansi-align#string-width#strip-ansi" depends on it
   - Hoisted from "nodemon#update-notifier#boxen#ansi-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
✨  Done in 0.50s.

@mturley mturley requested a review from a team May 2, 2022 18:03
@mturley mturley mentioned this pull request May 2, 2022
Merged
@mturley mturley changed the title Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 Bug 2038298: Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 May 2, 2022
@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

3 similar comments
@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

@mturley mturley mentioned this pull request May 2, 2022
Merged
@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

2 similar comments
@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

rayfordj
rayfordj approved these changes May 2, 2022
View reviewed changes
Copy link
Contributor

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

@mturley mturley merged commit 85ece98 into migtools:master May 2, 2022
@mturley mturley deleted the ansi-regex-cve branch May 2, 2022 18:33
@github-actions
Copy link

github-actions bot commented May 2, 2022

Unable to find bug with id: 2038298. Please make sure the bug is created and valid.

rayfordj pushed a commit to rayfordj/mig-ui that referenced this pull request May 6, 2022
@mturley @rayfordj
Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address C…
76d4622 
…VE-2021-3807 (migtools#1410)
@rayfordj rayfordj mentioned this pull request May 6, 2022
Merged
mturley added a commit that referenced this pull request May 6, 2022
@rayfordj @mturley
Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address C…
c31d29f 
…VE-2021-3807 (#1410) (#1418)

Co-authored-by: Mike Turley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rayfordj rayfordj rayfordj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mturley @rayfordj