npm audit ansi-regex

[kmalakoff]

I'm getting these nm audit warnings. Can you please update the dependency on ansi-regex for this module?

ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/inquirer-autosubmit-prompt/node_modules/ansi-regex
node_modules/inquirer-autosubmit-prompt/node_modules/string-width/node_modules/ansi-regex
node_modules/karma-mocha-reporter/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/inquirer-autosubmit-prompt/node_modules/string-width/node_modules/strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/strip-ansi
node_modules/karma-mocha-reporter/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
inquirer 3.2.0 - 7.0.4
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/inquirer
inquirer-autosubmit-prompt *
Depends on vulnerable versions of inquirer
node_modules/inquirer-autosubmit-prompt
listr-input >=0.2.0
Depends on vulnerable versions of inquirer-autosubmit-prompt
node_modules/listr-input
np >=4.0.0
Depends on vulnerable versions of listr
Depends on vulnerable versions of listr-input
node_modules/np
karma-mocha-reporter >=2.2.4
Depends on vulnerable versions of strip-ansi
node_modules/karma-mocha-reporter
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/inquirer-autosubmit-prompt/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
log-update 2.1.0 - 3.4.0
Depends on vulnerable versions of wrap-ansi
node_modules/log-update
listr-update-renderer >=0.5.0
Depends on vulnerable versions of log-update
node_modules/listr-update-renderer
listr >=0.14.3
Depends on vulnerable versions of listr-update-renderer
node_modules/listr

12 moderate severity vulnerabilities

[Den-dp]

Added PR to fix that

[hitendra-ap]

Hello @Den-dp,
Any updates regarding this issue? Or any eta on this.. when it will be fixed?
Actually, this vulnerability is blocking our application from being PCI DSS compliant.
Thanks

[Den-dp]

@hitendra-ap so my PR is here #109 but there are some failed tests that someone should take a look at.

It is up to the maintainer what to do with this PR.

[JugrajSripalJain]

@artm @ppvg any thoughts?

[psnosignaluk]

@LitixThomas would it be safe to assume that karma-mocha-reporter is no longer supported and is abandoned?

[Den-dp]

Added CI-related fix to #109 Now it's green 🟢

[LitixThomas]

Yes, karma-mocha-reporter is outdated and will no longer maintained.

[tomkdgun]

@LitixThomas @Den-dp Do someone is going to take over ownership of this project ? Any alternatives for this reporter ?

[Den-dp]

Assuming that:

• this project is very popular (213k downloads per week https://www.npmjs.com/package/karma-mocha-reporter )
• PR with a fix is in place fix: update strip-ansi to use newer ansi-regex without vulnerability #109
• tests are green

I hope that one day maintainers will reconsider their intent to drop this project and will find some time to merge the fix since right now it is low effort/low hanging fruit.

I have no plans on forking it and publishing it to npm.

[Sayan751]

I think the main issue here might be that in the current versions, the dependencies modules have moved to cjs to esm which might be an issue with karma. The esm karma conf file issue is still open: karma-runner/karma#3677.

[JesseAppleton]

Commenting to mention I'm looking for #109 to be merged as well. Maintainers, please consider.