twistlock issue: CVE-2021-3807 for ansi-regex from https://nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz

Version

No response

Platform

No response

Subsystem

No response

What steps will reproduce the bug?

No response

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No response

What do you see instead?

We download nodejs.org/dist/v14.17.5/node-v14.17.5-linux-x64.tar.gz and unzip it.
In the twistlock scan report, there are two issues from node folder.

CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:3.0.0
packagePath: /node/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1

CVE-2021-3807
packageType:nodejs
packageName:ansi-regex
packageVersion:5.0.0
packagePath: /node/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
fixed in ansi-regex 5.0.1, 6.0.1

I also manually download the highest nodejs version v14.18.1 and v17.1.0, then unzip it.
The ansi-regex folder under node_modules are still using 3.0.0.

I hope nodes can use higher version ansi-regex.
Where do I open an issue for above CVE-2021-3807,
hackerone.com/nodejs?type=team
or
github.com/npm/cli/issues
?
Thanks so much.

By the way, I searched ‘CVE-2021-3807‘ or ‘ansi-regex’ in
groups.google.com/group/nodejs-sec
nodejs.org/en/blog/
and can not find record.

Additional information

No response

Read more here: Source link