Dependency vulnerabilities

[PeculiarGoat]

Any chance you could run npm audit fix --force to kill those vulnerabilities?

[TheBrockEllis]

Specifically, I'm running into some issues with the ansi-regex package that's a deep dependency of chokidar-cli when running npm audit. I understand that often times the audit tool reports false positives, but we're trying to be thorough by tracking down new entries. According to NPM's audit tool:

Severity: moderate
Package: ansi-regex
Patched-in: >=5.0.1
Dependency of: chokidar-cli [dev]
Path: chokidar-cli > yards > string-width > strip-ansi > ansi-regex
More info: GHSA-93q8-gq69-wqmw

[gotreasa]

A handy tool to use is snyk:

npx snyk wizard --dev

This takes you through the vulnerabilities and suggests a fix if it's available or to ignore the vulnerability until a fix can be applied at a later point. Some of the features of Snyk are on https://support.snyk.io/hc/en-us/articles/360000920818-What-is-the-difference-between-snyk-test-protect-and-monitor-

[luflow]

@gotreasa Doesn't help with ansi-regex in this case. No patch available it says.

Cant the project just update to 5.0.1 (with node.js 8 as req) or 6.0.1 (with node.js 12 as req)? The changelogs don't suggest any other breaking changes.