In my node.js project, I have dependency on packageA
. Since this package is archived now, I had to override one of it's dependencies (not sure if this is relevant). My package.json looks like this-
...
"dependencies": {
"packageA": "1.4.39"
...
}
"overrides": {
"packageA": {
"nconf": "0.11.4"
}
},
...
When I run snyk test
to detect vulnerabilities, it shows the following-
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
introduced by packageA@1.4.39 > nconf@0.11.4 > yargs@16.2.0 > cliui@7.0.4 > string-width@4.2.3 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 17 other path(s)
This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
So strip-ansi@3.0.1
is using ansi-regex@2.1.1
, which should be updated. But if I run npm show strip-ansi@6.0.1
, the output is like this-
...
dependencies:
ansi-regex: ^5.0.1
...
So strip-ansi@6.0.1
is not really dependant on that old version. However, the problem is not probably with snyk
. Just that somehow my package-lock.json
file is including an old version.
If I run npm update packageA
, nothing happens - it's already up-to-date.
If I search package-lock.json
file for all reference to ansi-regex@2.1.1
, delete those, and then run npm install
, it just goes back to the previous state.
I also tried deleting the node_modules
folder and package-lock.json
file and ran npm install
after cleaning cache. This seems to solve the problem, but that also updates the whole package-lock.json
file, which should be risky in production environment.
Any suggestions how I can fix this? Thanks in advance.
As you wrote, the problem is the state of the package lockfile
.
A suggestion is to pin the ansi-regex
package to version 3.0.1
which is noted as fixed by Snyk. You can achieve it like this:
"overrides": {
"ansi-regex": "3.0.1",
}
And to then try an npm install
to make the update and follow that with a snyk test
to ensure versions are not free of vulns.
Also a suggestion to better understand what is happening in general is to run a snyk monitor
command instead instead of snyk test
?
Or, even better, scan from the Snyk UI in a direct SCM integration
?
It is a good practice to run npm install
before (no need to delete node_modules
).
It may be more comprehensive than a CLI local results I think.
This would show you the project view with a clear dependency tree & hierarchy and would maybe help you identify the problem.
Hopefully this will give you a visualization of where the ansi-regex@2.1.1
is pulled from and Snyk will provide you with a suggestion for a fix.
Hope it's helpful