Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerability warnings with ansi-regex and minimist
See original GitHub issueI’m seeing a few vulnerability warnings after installing 3.3.0, namely with ansi-regex and minimist.
Issue Analytics
- State:
- Created a year ago
- Reactions:29
- Comments:11 (3 by maintainers)
Top Results From Across the Web
ansi-regex vulnerabilities - Snyk
version published direct vulnerabilities
3.0.1 27 Mar, 2022 0. C. 0. H. 0. M. 0. L
4.1.1 11 Mar, 2022 0. C. 0. H. 0....
Read more >node:14 CVE-2021-44906 · Issue #42451 · nodejs ... - GitHub
They both have the ansi-regex thing (probably from the npm ... There's even a "Report a security vulnerability" choice when you go to...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...
Read more >vulnerabilities in npm dependencies - libup
There are 158 npm security advisories affecting our repositories. #1067342: minimist. Severity: critical. Prototype Pollution in minimist advisory. Affected ...
Read more >Inefficient Regular Expression Complexity in chalk/ansi-regex
Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version ... to be notified of important product support alerts like this.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hold up. Let’s clarify something. Your message read to me like you were a maintainer of this project, which meant you took time to reply on a thread giving an excuse why you weren’t going to release an update to resolve a vulnerability, when actually resolving it would have taken less time. If that was what happened, that would have been undeniably bad behavior on the part of the maintainer and it is not acting entitled to point that out.
It would take the same amount of time to update the version of a single dependency as it would to make an excuse why you aren’t going to.
This project hasn’t been updated in over 2 years. I don’t know what you’re worried about. It’s already been abandoned. Clearly the maintainer has already checked out.