fix: replace ansi-html with ansi-html-community

[fabienmoyon]

This fixes the ReDoS vulnerability CVE-2021-23424

• This is a bugfix
• This is a feature
• This is a code refactor
• This is a test update
• This is a docs update
• This is a metadata update

For Bugs and Features; did you add new tests?

I only replaced a dependency which has tests on its own.

Motivation / Use-Case

Fixes #3576
Replaces #3798

Breaking Changes

None

Additional Info

[linux-foundation-easycla]

• ❌ - Fabien Moyon The commit (6a5dce1) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[alexander-akait]

webpack-dev-server v3 has other security problems, it is only one of them...

[fabienmoyon]

@alexander-akait yes, maybe I'm trying to fix this issue because it's a blocking one for a project.

What do you more expect for me ?

[alexander-akait]

glob-parent has security problems too, why do not update webpack-dev-server v4?

[racedale]

@alexander-akait sounds like scope creep. This PR has a very specific scope, can you articulate why it needs to be widened to include other packages?

[alexander-akait]

@racedale because there are other security problem in webpack-dev-server v3

[racedale]

@alexander-akait yes and this fixes one of them

[alexander-akait]

Why do not update to v4?

[G-Rath]

I've outlined the "why" in my comment here.

Effectively while moving to v4 would be the best thing to do, it's currently not possible for ecosystems where we're locked into v3 by major frameworks (e.g. Rails, via @rails/webpacker) and who themselves are currently exploring alternatives to their tooling that make it very unlikely to let us move to v4 within the next few years.

[alexander-akait]

@fabienmoyon Can you accept CLA?

[fabienmoyon]

@alexander-akait yes, need to be validated by my organization manager.

[deejayy]

@alexander-akait as I see webpack-dev-server v4 first stable was out 2 months ago. Are you saying that v3 is no longer supported?

[alexander-akait]

I can accept only security fixes, need accept CLA here

[G-Rath]

@alexander-akait @fabienmoyon if getting the SLA signed is an issue, I'm happy to open a PR & sign the SLA instead :)

[snitin315]

@alexander-akait @fabienmoyon if getting the SLA signed is an issue, I'm happy to open a PR & sign the SLA instead :)

Feel free to do it.

[G-Rath]

@snitin315 have opened #4011

[fabienmoyon]

Hello,
I asked some help to the linux foundation, my organization can't see the active CLA to be able to accept it since one week.
I keep you in touch

[alexander-akait]

Done #4011