twistlock issue: CVE-2021-3807 for ansi-regex from https://nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz
Table of Contents
Version
No response
Platform
No response
Subsystem
No response
What steps will reproduce the bug?
No response
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior?
No response
What do you see instead?
We download nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz and unzip it.
In the twistlock scan report, there are two issues from node folder.
CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:3.0.0
packagePath: /node/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1
CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:5.0.0
packagePath: /node/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1
I also manually download the highest nodejs version v14.18.1 and v17.1.0, then unzip it.
The ansi-regex folder under node_modules are still using 3.0.0.
I hope nodes can use higher version ansi-regex.
Where do I open an issue for above CVE-2021-3807,
hackerone.com/nodejs?type=team
or
github.com/npm/cli/issues
?
Thanks so much.
By the way, I searched ‘CVE-2021-3807‘ or ‘ansi-regex’ in
groups.google.com/group/nodejs-sec
nodejs.org/en/blog/
and can not find record.
Additional information
No response
Read more here: Source link