GHSA-93q8-gq69-wqmw VS yarn

{ "actions": [], "advisories": { "1004946": { "findings": [ { "version": "4.1.0", "paths": [ "ts-patch>strip-ansi>ansi-regex", "lerna>npmlog>gauge>ansi-regex", "lerna>@lerna/bootstrap>npmlog>gauge>ansi-regex", ... ] } ], "metadata": null, "vulnerable_versions": ">2.1.1 <5.0.1", "module_name": "ansi-regex", "severity": "moderate", "github_advisory_id": "GHSA-93q8-gq69-wqmw", "cves": [ "CVE-2021-3807" ], "access": "public", "patched_versions": ">=5.0.1", "updated": "2021-09-23T15:45:50.000Z", "recommendation": "Upgrade to version 5.0.1 or later", "cwe": "CWE-918", "found_by": null, "deleted": null, "id": 1004946, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw", "created": "2021-11-18T16:00:48.472Z", "reported_by": null, "title": " Inefficient Regular Expression Complexity in chalk/ansi-regex", "npm_advisory_id": null, "overview": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" },

# npm audit report ansi-html * Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/ansi-html @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/react-dev-utils/node_modules/inquirer/node_modules/ansi-regex node_modules/string-width/node_modules/ansi-regex node_modules/strip-ansi/node_modules/ansi-regex node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/react-dev-utils/node_modules/inquirer/node_modules/strip-ansi node_modules/string-width/node_modules/strip-ansi node_modules/strip-ansi node_modules/webpack-dev-server/node_modules/cliui/node_modules/strip-ansi node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/strip-ansi cliui 4.0.0 - 5.0.0 Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of wrap-ansi node_modules/webpack-dev-server/node_modules/cliui yargs 10.1.0 - 15.0.0 Depends on vulnerable versions of cliui Depends on vulnerable versions of string-width node_modules/webpack-dev-server/node_modules/yargs webpack-dev-server 2.0.0-beta - 3.11.3 Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby eslint 4.5.0 - 7.15.0 Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of table node_modules/eslint @typescript-eslint/eslint-plugin <=3.0.0-alpha.27 Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of eslint node_modules/@typescript-eslint/eslint-plugin eslint-config-react-app 3.0.0-next.03604a46 - 5.2.1 Depends on vulnerable versions of @typescript-eslint/eslint-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of eslint node_modules/eslint-config-react-app @typescript-eslint/parser 1.1.1-alpha.0 - 2.34.1-alpha.2 Depends on vulnerable versions of eslint node_modules/@typescript-eslint/parser gatsby-cli 2.5.9-ink.60 - 2.5.9-ink.61 || >=2.6.0-0 Depends on vulnerable versions of gatsby-recipes Depends on vulnerable versions of strip-ansi node_modules/gatsby-cli inquirer 3.2.0 - 7.0.4 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/react-dev-utils/node_modules/inquirer react-dev-utils 0.4.0 - 11.0.3 Depends on vulnerable versions of inquirer node_modules/react-dev-utils string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/string-width node_modules/table/node_modules/string-width node_modules/webpack-dev-server/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/table wrap-ansi 3.0.0 - 6.1.0 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/webpack-dev-server/node_modules/wrap-ansi yurnalist >=1.0.5 Depends on vulnerable versions of strip-ansi node_modules/yurnalist glob-parent <5.1.2 Severity: high Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby webpack-dev-server 2.0.0-beta - 3.11.3 Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby react-dev-utils 0.4.0 - 11.0.3 Severity: moderate Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x Depends on vulnerable versions of inquirer fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/react-dev-utils gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse gatsby-recipes 0.0.7-unifiedroutes.76 - 0.0.7-unifiedroutes-v2.135 || >=0.1.31 Depends on vulnerable versions of remark-parse node_modules/gatsby-recipes gatsby-cli 2.5.9-ink.60 - 2.5.9-ink.61 || >=2.6.0-0 Depends on vulnerable versions of gatsby-recipes Depends on vulnerable versions of strip-ansi node_modules/gatsby-cli gatsby >=1.9.99 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @typescript-eslint/parser Depends on vulnerable versions of ansi-html Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-config-react-app Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/gatsby ws 7.0.0 - 7.4.5 Severity: moderate ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693 fix available via `npm audit fix` node_modules/@graphql-tools/url-loader/node_modules/ws @graphql-tools/url-loader 6.4.1-alpha-0ea0f8b7.0 - 6.10.1 Depends on vulnerable versions of ws node_modules/@graphql-tools/url-loader 36 vulnerabilities (23 moderate, 13 high) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force

More info https://github.com/advisories/GHSA-93q8-gq69-wqmw

Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw

instead. Please refer tothis issue for guidance. Following the instructions in this issue will ensure the correct installation of Yarn.

As an alternative, you can use the Yarn CLI command:

The PR for Auto detect and merge lockfile conflicts provides insight into the latest implementation in /src/lockfile/parse.js.

this this maybe https://github.com/yarnpkg/yarn/issues/8331

Yarn, but you can use npm or pnpm as alternatives to yarn if you prefer.

Yarn definitely shot themselves in the foot badly. PnP identified real problems & came up with a solution, but pnpm is doing a similar set of tricks but in a Node-ecosystem-compatible way, with next to no compatibility issues (versus package maintainers having to each individually support Yarn V2 PnP). Yarn V2 seemingly thought they could get the entire npm package world to switch to yarn, saw their growth & saw the thought-leaders & decided their winning was a fait-accompli.

And they didn't really execute very well... v2 landed, there was controversy, and there's been so little visible or exciting good news about it. It over-played Yarns so hand they renamed Yarn v2 as Berry, just to re-gather the troops & make a staging point forward. But it's still an incredibly hard pill to swallow, and the "yarn (berry) is great, the ecosystem needs to change" attitude seemingly isn't gaining any traction and it's hard to tell where Yarn could go.

In Yarn v3[1], they've introduced a modular "linker" system for how to install packages, that seemingly might get them able to experiment around/play around a little more & be less constrained than the hard-path they'd crusaded for.

One thing I will say for Yarn, that makes me unbelievably happy versus npm (announced during the V2[2] announcement):

> Yarn is first and foremost a Node API that can be used programmatically (via @yarnpkg/core)

Npm is the premier tool for open-source javascript, but it itself is one of the least open-source efforts on the planet. I finally started digging around the npm package and it's underlying cacache cache-structure, and it's just infinitely unpleasant to get started with. There's maybe like 3 articles on the whole planet that have any guidance for what npm is inside, how it works, what you can do with it, how you can hack it. Yarn identifying that the package manager itself is something that developers need access to is a huge win & I want to thank them forever for putting that on their bullet list of great Yarn things.

[1] https://dev.to/arcanis/yarn-3-0-performances-esbuild-better-...

[2] "Yarn's Future - v2 and beyond" https://github.com/yarnpkg/yarn/issues/6953

Unfortunately, as I found out, yarn's resolutions property has a long history of not playing well with optionalDependencies: anything placed into resolutions is treated as required and will abruptly fail to install if it is, for example, a platform-specific package appropriate for your deploy environment but not your dev environment or vice versa, as is the case here.

It was July 2021. I started with [email protected] since I’ve been using it for a long time. Yarn was fast, but soon I met several issues with Yarn Workspaces. E.g., not hoisting dependencies correctly, and tons of issues are tagged with “fixed in modern”, which redirects me to the v2 (berry).

Upgrading dependencies: Yarn 1's yarn upgradeonly upgrades direct dependencies of the current workspace. Yarn 2's up ignores the version ranges in your package.json and upgrades for all workspaces. npm's and pnpm'supdate respect your version ranges and upgrade indirect dependencies as well.