npmsnyk

npm - a package's 6th level dependency is shown to be using outdated version by snyk


In my node.js project, I have dependency on packageA. Since this package is archived now, I had to override one of it's dependencies (not sure if this is relevant). My package.json looks like this-

...
  "dependencies": {
    "packageA": "1.4.39"
    ...
  }
  "overrides": {
    "packageA": {
      "nconf": "0.11.4"
    }
  },
...

When I run snyk test to detect vulnerabilities, it shows the following-

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
    introduced by packageA@1.4.39 > nconf@0.11.4 > yargs@16.2.0 > cliui@7.0.4 > string-width@4.2.3 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 17 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1

So strip-ansi@3.0.1 is using ansi-regex@2.1.1, which should be updated. But if I run npm show strip-ansi@6.0.1, the output is like this-

...
dependencies:
ansi-regex: ^5.0.1 
...

So strip-ansi@6.0.1 is not really dependant on that old version. However, the problem is not probably with snyk. Just that somehow my package-lock.json file is including an old version.

If I run npm update packageA, nothing happens - it's already up-to-date.

If I search package-lock.json file for all reference to ansi-regex@2.1.1, delete those, and then run npm install, it just goes back to the previous state.

I also tried deleting the node_modules folder and package-lock.json file and ran npm install after cleaning cache. This seems to solve the problem, but that also updates the whole package-lock.json file, which should be risky in production environment.

Any suggestions how I can fix this? Thanks in advance.


Solution

  • As you wrote, the problem is the state of the package lockfile. A suggestion is to pin the ansi-regex package to version 3.0.1 which is noted as fixed by Snyk. You can achieve it like this:

    "overrides": {
      "ansi-regex": "3.0.1",
    }
    

    And to then try an npm install to make the update and follow that with a snyk test to ensure versions are not free of vulns.

    Also a suggestion to better understand what is happening in general is to run a snyk monitor command instead instead of snyk test?

    Or, even better, scan from the Snyk UI in a direct SCM integration? It is a good practice to run npm install before (no need to delete node_modules). It may be more comprehensive than a CLI local results I think.

    This would show you the project view with a clear dependency tree & hierarchy and would maybe help you identify the problem.

    Hopefully this will give you a visualization of where the ansi-regex@2.1.1 is pulled from and Snyk will provide you with a suggestion for a fix.

    Hope it's helpful