[Security] cli-columns and cli-table3 have dependencies to vulnerable packages #3785
Comments
akaraman85
added
Bug
lukekarrys
added
Security
|
Also running into this same issue. Looking at the attached PR will this issue not be addressed until version 8 since |
|
Also ran into this due to npm itself being dependent on it. Decided to add it to the CVE ignore list after confirming no other occurrences of the vulnerable issue |
|
Note that the ansi-regex upstream PR and commit for CVE-2021-3807 are: chalk/ansi-regex#37 Also note that versions 3.0.0 - 5.0.0 and 6.0.0 are affected, issue was fixed in 5.0.1 and 6.0.1. This report mentions ansi-regex version as bundled with current npm version 7, 8, and latest. However, version 6, that is bundled with current nodejs versions, has even more copies of ansi-regex. Here is the current status: latest and v8.0.0: v7.24.2: v6.14.15 The above covers versions that can be found in the respective git tags or branches. |
|
Is there any plan to fix this in npm v6 ? |
|
Hello, npm 8.1.0 continues to install vulnerable versions of ansi-regex package - namely, @5.0.0, @2.1.1, and @3.0.0 - which results in the base Docker image being flagged by container security software. Would it be possible to upgrade all dependencies to use ansi-regex@5.0.1? |
|
Hello, |
|
Hello Team, Can you please upgrade npm to use fixed ansi-regex? Thanks, |
|
We got same issue.
|
|
Same here with using base docker image node:16-alpine |
|
Hi npm Team, Kindly let us know the timeline for fixing this issue. Thanks, |
|
Giving this another bump as this issue is persisting in our CI pipeline's security scan. Any attention to fixing this will make a lot of people happy ❤️ PS. We use |
|
For anyone blocked by this issue. Don't use NPM in your final container image. Here is an example of Dockefile with multistage build based on Alpine: # Build stage
FROM node:16-alpine3.15 as build
# Install dependencies
WORKDIR /
COPY package-lock.json .
COPY package.json .
RUN npm ci --production
# Final stage
FROM alpine:3.15 as final
# Upgrade APK and install nodejs
RUN apk --no-cache add --upgrade nodejs~16
# Setup application
RUN mkdir -p /app/simple-server
WORKDIR /app/simple-server
COPY . .
COPY --from=build node_modules node_modules
# Run App
ENTRYPOINT ["node", "index.js"]This will make your scanners happy 😊 |
We ended up uninstalling npm from the final image: |
|
@hi-artem Thanks, this is the solution we've opted for |
|
It would be good to see high vulnerabilities in NPM fixed in a timely fashion, whether or not some deployments can hack NPM out of the equation. |
|
@MartinFalatic "a CVE exists" does not mean "a vulnerability exists". Most CVEs are false positives, and unless these vulnerabilities are exploitable via npm, it's not actually a vulnerability. An actual vulnerability is a concern - a false positive CVE warning should not be. (i'm not making any assertions about these CVEs/vulnerabilities specifically, just speaking in general terms) |
|
@MartinFalatic the thing here is how often do you need to have NPM in your final image? IHMO it is not a hack to remove it, but a good practice of not installing development dependencies in your production environment. NPM itself is the development dependency. |
|
Closed in v8.5.2 thanks @lukekarrys |
|
I have verified that updating globally to the latest npm version (v8.5.4) on the Dockerfile also does the trick. The security vulnerabilities disappeared. FROM node:16-alpine3.15
...
RUN npm -g npm@8.5.4
... |
|
@wraithgar Is it possible to backport it to version |
|
The earlier assessments of fix incompatibility with npm 6 are probably no longer true, as the fixed ansi-regex is in npm@6.14.17 via yargs@14.2.3/cliui@5.0.0 so we just need to upgrade cli-columns to version with strip-ansi@5 @wraithgar @Izook do you agree? Thanks! |
Is there an existing issue for this?
Current Behavior
Security scans fail do to high warning of a security vulnerability in ansi-regex.
Expected Behavior
Security scan pass.
Steps To Reproduce
We use twistlock to do vulnerability detection, which relies on NVD to get vulnerability data.
The issue can be found here, https://nvd.nist.gov/vuln/detail/CVE-2021-3807 and here, https://snyk.io/vuln/npm:ansi-regex.
Environment
The text was updated successfully, but these errors were encountered: