node.js npm npm-install node-sass npm-audit

How to update nested package ansi-regex for node-sass, when npm audit fix / update / shrinkwrap manual alteration don't work?

There is a full breakdown on npm audit below.

So far we have tried npm audit fix with depth, we have tried to shrinkwrap and manually change the relevant version numbers to the GitHub suggested version fixed (6.0.1).

npm install resets the packages to 5.0.1 even after manual deletion, re installation etc.

Output of npm audit below.

     ───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > string-width > strip-ansi > │
    │               │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > string-width >      │
    │               │ strip-ansi > ansi-regex                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > wrap-ansi >         │
    │               │ string-width > strip-ansi > ansi-regex                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘

How do we update this bested dependency correctly to avoid npm audit issues?

Solution

Honestly, your best path is to choose not to worry about this. node-sass is presumably a development dependency, not something you are shipping to users. You're not going to accidentally manage to include a string that causes ansi-regex to run inefficiently. And even if you did, that's not going to take down your server. It's going to make your build pipeline take longer than you might like.

At the time of this writing, a clean install of node-sass (latest version is 6.0.1) with no other dependencies still results in the vulnerable ansi-regex being installed. So you'd have to engage in some special shenanigans to get things fixed. While those shenanigans may be worth it for something that installs a vulnerability on your production server, doing so in this case would probably mean applying a lot of effort to create a potentially-brittle fix for something that is a non-issue.

So I strongly recommend simply waiting for the next version of node-sass (which will be one of 6.0.2, 6.1.0, or 7.0.0) and hope that it has the issue fixed, and don't worry about it much if it doesn't.