How to update nested package ansi-regex for node-sass, when npm audit fix / update / shrinkwrap manual alteration don't work?

Question

There is a full breakdown on npm audit below.

So far we have tried npm audit fix with depth, we have tried to shrinkwrap and manually change the relevant version numbers to the GitHub suggested version fixed (6.0.1).

npm install resets the packages to 5.0.1 even after manual deletion, re installation etc.

Output of npm audit below.

     ───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > string-width > strip-ansi > │
    │               │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > string-width >      │
    │               │ strip-ansi > ansi-regex                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Moderate      │  Inefficient Regular Expression Complexity in                │
    │               │ chalk/ansi-regex                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ansi-regex                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=5.0.1                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ node-sass                                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ node-sass > sass-graph > yargs > cliui > wrap-ansi >         │
    │               │ string-width > strip-ansi > ansi-regex                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
    └───────────────┴──────────────────────────────────────────────────────────────┘

How do we update this bested dependency correctly to avoid npm audit issues?

Please **re-read** the question as you had [initially posted it](https://stackoverflow.com/revisions/69590927/1), and tell me if there was any way anyone would have understood what is actually going on and the actual output of the npm audit. *Not* the way to post questions here - you are expected to at least *try* to communicate your issue efficiently... — desertnaut, Oct 15 '21 at 22:32

score 10 · Accepted Answer · answered Oct 16 '21 at 02:31

Honestly, your best path is to choose not to worry about this. node-sass is presumably a development dependency, not something you are shipping to users. You're not going to accidentally manage to include a string that causes ansi-regex to run inefficiently. And even if you did, that's not going to take down your server. It's going to make your build pipeline take longer than you might like.

At the time of this writing, a clean install of node-sass (latest version is 6.0.1) with no other dependencies still results in the vulnerable ansi-regex being installed. So you'd have to engage in some special shenanigans to get things fixed. While those shenanigans may be worth it for something that installs a vulnerability on your production server, doing so in this case would probably mean applying a lot of effort to create a potentially-brittle fix for something that is a non-issue.

So I strongly recommend simply waiting for the next version of node-sass (which will be one of 6.0.2, 6.1.0, or 7.0.0) and hope that it has the issue fixed, and don't worry about it much if it doesn't.

Worth noting that `node-sass` is [deprecated](https://github.com/sass/node-sass). Depending on use-case it may therefore be appropriate to replace with [sass](https://stackoverflow.com/a/70428535/2064596). — Oscar Schafer, Apr 29 '22 at 16:07

score 8 · Answer 2 · answered Oct 20 '21 at 08:13

You can use the npm-force-resolutions package in a preinstall script in your package.json. From the docs:

This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency)

Here's exactly what fixed the issue for me (after days of bashing my head against the wall):

In package.json:

...
"scripts": {
  "preinstall": "npx npm-force-resolutions"
},
"resolutions": {
  "ansi-regex": "5.0.1"
},
...

Then npm i should install with no vulnerabilities.

How to update nested package ansi-regex for node-sass, when npm audit fix / update / shrinkwrap manual alteration don't work?

2 Answers2