[CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency #302

Bujupah · 2021-11-10T16:09:29Z

Environment:

Grafana Image Renderer version: Latest
Grafana version: Any
OS Grafana Image Renderer is installed on: Any
User OS & Browser: Any

What happened:

One of the npm packages has a vulnerability...

Description : ansi-regex is vulnerable to Inefficient Regular Expression Complexity
URL : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3807
Fix Version : 5.0.1
Path: /usr/local/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex

Suggestion:
Since this vulnerability is coming from npm ? why using a node image that has two package managers ? can't we just get one clean node image and then install Yarn into it?

We can use an image from node:<version>-slim instead of node:<version>-alpine
And then set it up with yarn only, this will solve this vulnerability.

AgnesToulet changed the title ~~[CVE-2021-3807] [ansi-regex] [5.0.0]~~ [CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency Dec 15, 2021

AgnesToulet mentioned this issue Mar 14, 2022

CVE-2021-3918, CVE-2021-3807 #310

Closed

Bujupah closed this as completed Jul 4, 2022

AgnesToulet mentioned this issue May 12, 2023

Remove NPM from Docker image #425

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency #302

[CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency #302

Bujupah commented Nov 10, 2021 •

edited

Loading

[CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency #302

[CVE-2021-3807] [ansi-regex] [5.0.0] - Vulnerability on unused npm dependency #302

Comments

Bujupah commented Nov 10, 2021 • edited Loading

Bujupah commented Nov 10, 2021 •

edited

Loading