twistlock issue: CVE-2021-3807 for ansi-regex from https://nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz #40853
Labels
npm
Issues and PRs related to the npm client dependency or the npm registry.
wrong repo
Issues that should be opened in another repository.
Comments
targos
added
npm
|
These alerts are for |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
No response
Platform
No response
Subsystem
No response
What steps will reproduce the bug?
No response
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior?
No response
What do you see instead?
We download https://nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz and unzip it.
In the twistlock scan report, there are two issues from node folder.
CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:3.0.0
packagePath: /node/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1
CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:5.0.0
packagePath: /node/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1
I also manually download the highest nodejs version v14.18.1 and v17.1.0, then unzip it.
The ansi-regex folder under node_modules are still using 3.0.0.
I hope nodes can use higher version ansi-regex.
Where do I open an issue for above CVE-2021-3807,
https://hackerone.com/nodejs?type=team
or
https://github.com/npm/cli/issues
?
Thanks so much.
By the way, I searched 'CVE-2021-3807' or 'ansi-regex' in
https://groups.google.com/group/nodejs-sec
https://nodejs.org/en/blog/
and can not find record.
Additional information
No response
The text was updated successfully, but these errors were encountered: