ANSI-HTML is vulnerable and unmaintained

[DrogoNevets]

Describe the bug

When running yarn audit it shows a vulnerability in ansi-html

adding a resolution does not help as no patch is available, looking at the effected package ansi-html is no longer maintained by anyone.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled Resource Consumption in ansi-html               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-html                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > ansi-html               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/4035                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

N/A

Environment

mac-mini M1 running in zsh

Steps to reproduce

run yarn audit on a project using altest react-scripts

Expected behavior

SHould either pass audit (many dependencies out of date) or use packages that allow a manual resolution of issue

Actual behavior

Declares no patch available for the issue, suggest switching to ansi-html-community

[evalrmrf]

Any updates here?

[slutske22]

Having the same issue. This seems to be related to Create a c3.11.3 to resolve vulnerability in dependency ansi-html, which was closed, as the webpack-dev-server team is no longer maintaining v^3, as v^4 is out. Seems the issue is that react-scripts is still depending on outdated version of webpack (4.44.2) and webpack-dev-server (3.11.1). I think fixing this would involve a fairly big upgrade to react-scripts and CRA?

[vkpraveen]

Can any one provide update here? How should we proceed to fix this issue?

[DrogoNevets]

the way forward we have taken is to scrap using npm audit but use audit-ci package instead and add it to our allowed list thanks goes to @amoore108 for referencing this issue in their CI/CD which in turn made me aware of the audit-ci package

#BigUpTheBeeb

[vkpraveen]

We are able resolve it by following Tjatse/ansi-html#19.

[cmacdonnacha]

This fixed it for me. Updated 4 other packages too and everything seems to still be working ok.

[junaidahmedvd]

@cmacdonnacha npm-force-resolutions does update registry URL for ansi-html. But if one does npm i it revert changes to point ansi-html to Version 0.0.7.
How are you keeping package-lock.json file to point registry URL?

[cmacdonnacha]

@cmacdonnacha npm-force-resolutions does update registry URL for ansi-html. But if one does npm i it revert changes to point ansi-html to Version 0.0.7.
How are you keeping package-lock.json file to point registry URL?

I'd suggest to communicate to the team to run npm ci instead which only installs package versions from package-lock.json. Also, adding it to preinstall in package.json scripts should help.

[dtsao]

It appears that ansi-html is only used by webpack-dev-server and @pmmmwh/react-refresh-webpack-plugin.

react-scripts > @pmmmwh/react-refresh-webpack-plugin > ansi-html
react-scripts > webpack-dev-server > ansi-html

Can someone confirm that the ansi-html vulnerability only effects the developer PC and not production code as described here: https://overreacted.io/npm-audit-broken-by-design/#second-vulnerability, or #11174

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.