CVE alert (ansi-regex js) #134
Description
Currently the automatic vulnerability checker is issuing an alert regarding ansi-regex < 5.0.1.
This is a node package (more motivation for #128); canvas requires gauge, and at present the latest version of gauge indirectly requires a vulnerable version of ansi-regex. Attempted running npm audit fix to no avail. Presumably need to wait for this to be fixed upstream: npm/gauge#135
Not expecting any security impact, because our use of node is to render an image from data generated by the application (not supplied by the untrusted end client).
$ npm list ansi-regex # check what versions currently installed
code@ /code
├─┬ canvas@2.8.0
│ └─┬ @mapbox/node-pre-gyp@1.0.6
│ └─┬ npmlog@5.0.1
│ └─┬ gauge@3.0.1
│ └─┬ strip-ansi@4.0.0
│ └── ansi-regex@3.0.0
├─┬ vega-cli@5.21.0
│ └─┬ yargs@17.2.1
│ ├─┬ cliui@7.0.4
│ │ ├─┬ strip-ansi@6.0.1
│ │ │ └── ansi-regex@5.0.1
│ │ └─┬ wrap-ansi@7.0.0
│ │ └─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ └─┬ string-width@4.2.3
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
└─┬ vega-lite@5.1.1
└─┬ yargs@17.1.1
└─┬ string-width@4.2.3
└─┬ strip-ansi@6.0.1
└── ansi-regex@5.0.1
$ npm view gauge version # check if newer version exists yet
3.0.1
$ npm view strip-ansi version
7.0.1