[Security] cli-columns and cli-table3 have dependencies to vulnerable packages

[akaraman85]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Security scans fail do to high warning of a security vulnerability in ansi-regex.

Expected Behavior

Security scan pass.

Steps To Reproduce

We use twistlock to do vulnerability detection, which relies on NVD to get vulnerability data.

The issue can be found here, https://nvd.nist.gov/vuln/detail/CVE-2021-3807 and here, https://snyk.io/vuln/npm:ansi-regex.

Environment

• OS: Mac 11.5.2
• Node: v12.21.0
• npm: 7.21.1

[Izook]

Also running into this same issue. Looking at the attached PR will this issue not be addressed until version 8 since cli-columns doesn't support Node 10?

[ckcr4lyf]

Also ran into this due to npm itself being dependent on it. Decided to add it to the CVE ignore list after confirming no other occurrences of the vulnerable issue

[thoger]

Note that the ansi-regex upstream PR and commit for CVE-2021-3807 are:

chalk/ansi-regex#37
chalk/ansi-regex@8d1d7cd

Also note that versions 3.0.0 - 5.0.0 and 6.0.0 are affected, issue was fixed in 5.0.1 and 6.0.1.

This report mentions ansi-regex version as bundled with current npm version 7, 8, and latest. However, version 6, that is bundled with current nodejs versions, has even more copies of ansi-regex. Here is the current status:

latest and v8.0.0:
./node_modules/string-width/node_modules/ansi-regex/package.json: "version": "3.0.0", -- affected
./node_modules/ansi-regex/package.json: "version": "2.1.1", -- notaffected
./node_modules/cli-table3/node_modules/ansi-regex/package.json: "version": "5.0.0", -- affected
./node_modules/cli-columns/node_modules/ansi-regex/package.json: "version": "5.0.1", -- fixed

v7.24.2:
./node_modules/string-width/node_modules/ansi-regex/package.json: "version": "3.0.0", -- affected
./node_modules/ansi-regex/package.json: "version": "2.1.1", -- notaffected
./node_modules/cli-table3/node_modules/ansi-regex/package.json: "version": "5.0.0", -- affected

v6.14.15
./node_modules/wrap-ansi/node_modules/ansi-regex/package.json: "version": "4.1.0" -- affected
./node_modules/string-width/node_modules/ansi-regex/package.json: "version": "3.0.0" -- affected
./node_modules/ansi-regex/package.json: "version": "2.1.1", -- notaffected
./node_modules/yargs/node_modules/ansi-regex/package.json: "version": "4.1.0" -- affected
./node_modules/cliui/node_modules/ansi-regex/package.json: "version": "4.1.0" -- affected

The above covers versions that can be found in the respective git tags or branches.

[panayiod44]

Is there any plan to fix this in npm v6 ?

[f2404]

Hello,
Following this bug report: nodejs/docker-node#1574 (comment)

npm 8.1.0 continues to install vulnerable versions of ansi-regex package - namely, @5.0.0, @2.1.1, and @3.0.0 - which results in the base Docker image being flagged by container security software.

Would it be possible to upgrade all dependencies to use ansi-regex@5.0.1?
Thanks!

[guomeng306]

Hello,
We got same issue,too.
nodejs team asked us to open issue here.
nodejs/node#40853
Thanks a lot.

[skhushboo-vm]

Hello Team,

Can you please upgrade npm to use fixed ansi-regex?
Also, kindly inform if any timelines are there for this?

Thanks,
Khushboo Soni
VMware

[psandeep09]

We got same issue.