-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] cli-columns and cli-table3 have dependencies to vulnerable packages #3785
Comments
Also running into this same issue. Looking at the attached PR will this issue not be addressed until version 8 since |
Also ran into this due to npm itself being dependent on it. Decided to add it to the CVE ignore list after confirming no other occurrences of the vulnerable issue |
Note that the ansi-regex upstream PR and commit for CVE-2021-3807 are: chalk/ansi-regex#37 Also note that versions 3.0.0 - 5.0.0 and 6.0.0 are affected, issue was fixed in 5.0.1 and 6.0.1. This report mentions ansi-regex version as bundled with current npm version 7, 8, and latest. However, version 6, that is bundled with current nodejs versions, has even more copies of ansi-regex. Here is the current status: latest and v8.0.0: v7.24.2: v6.14.15 The above covers versions that can be found in the respective git tags or branches. |
Is there any plan to fix this in npm v6 ? |
Hello, npm 8.1.0 continues to install vulnerable versions of ansi-regex package - namely, @5.0.0, @2.1.1, and @3.0.0 - which results in the base Docker image being flagged by container security software. Would it be possible to upgrade all dependencies to use ansi-regex@5.0.1? |
Hello, |
Hello Team, Can you please upgrade npm to use fixed ansi-regex? Thanks, |
Hi npm Team, Kindly let us know the timeline for fixing this issue. Thanks, |
Giving this another bump as this issue is persisting in our CI pipeline's security scan. Any attention to fixing this will make a lot of people happy ❤️ PS. We use |
For anyone blocked by this issue. Don't use NPM in your final container image. Here is an example of Dockefile with multistage build based on Alpine: # Build stage
FROM node:16-alpine3.15 as build
# Install dependencies
WORKDIR /
COPY package-lock.json .
COPY package.json .
RUN npm ci --production
# Final stage
FROM alpine:3.15 as final
# Upgrade APK and install nodejs
RUN apk --no-cache add --upgrade nodejs~16
# Setup application
RUN mkdir -p /app/simple-server
WORKDIR /app/simple-server
COPY . .
COPY --from=build node_modules node_modules
# Run App
ENTRYPOINT ["node", "index.js"] This will make your scanners happy 😊 |
We ended up uninstalling npm from the final image:
|
@hi-artem Thanks, this is the solution we've opted for |
It would be good to see high vulnerabilities in NPM fixed in a timely fashion, whether or not some deployments can hack NPM out of the equation. |
@MartinFalatic "a CVE exists" does not mean "a vulnerability exists". Most CVEs are false positives, and unless these vulnerabilities are exploitable via npm, it's not actually a vulnerability. An actual vulnerability is a concern - a false positive CVE warning should not be. (i'm not making any assertions about these CVEs/vulnerabilities specifically, just speaking in general terms) |
@MartinFalatic the thing here is how often do you need to have NPM in your final image? IHMO it is not a hack to remove it, but a good practice of not installing development dependencies in your production environment. NPM itself is the development dependency. |
Closed in v8.5.2 thanks @lukekarrys |
I have verified that updating globally to the latest npm version (v8.5.4) on the Dockerfile also does the trick. The security vulnerabilities disappeared. FROM node:16-alpine3.15
...
RUN npm -g npm@8.5.4
... |
@wraithgar Is it possible to backport it to version |
The earlier assessments of fix incompatibility with npm 6 are probably no longer true, as the fixed ansi-regex is in npm@6.14.17 via yargs@14.2.3/cliui@5.0.0
so we just need to upgrade cli-columns to version with strip-ansi@5
@wraithgar @Izook do you agree? Thanks! |
Is there an existing issue for this?
Current Behavior
Security scans fail do to high warning of a security vulnerability in ansi-regex.
Expected Behavior
Security scan pass.
Steps To Reproduce
We use twistlock to do vulnerability detection, which relies on NVD to get vulnerability data.
The issue can be found here, https://nvd.nist.gov/vuln/detail/CVE-2021-3807 and here, https://snyk.io/vuln/npm:ansi-regex.
Environment
The text was updated successfully, but these errors were encountered: