Upgrade ansi-regex to 4.1.1

[iblancasa]

Signed-off-by: Israel Blancas [email protected]

Changes

• Upgrade ansi-regex dependency from 4.1.0 to 4.1.1.

Fixes

• CVE-2021-3807

Checklist

• tested locally

Description

The project is using ansi-regex 4.1.0. It seems to be a transitive dependency. That dependency has a vulnerability (CVE-2021-3807). Upgrading it to 4.1.1, solves the problem

[xoscar]

Hey @iblancasa thank you for contributing.

Do you mind providing more information about this change?

Thanks!

[iblancasa]

Sure! @xoscar I updated the first message. Is that OK or more information is needed? Thanks!

[cescoferraro]

Hi @iblancasa, very nice to hear you are interested in the project. 🥇

Your changes would be overwritten, next time any of us run npm install on the project, because this ansi-regex is a dependency of lots of dependencies we use right now. Changing our package-lock.json wont make the problem go away.

So I think we need to wait for them to update theirs, since we cannot ditch them entirely.
I found this #18713 , where @storybook is planning to solve this issue on the next release. But not sure about the other ones. Latest eslint version also does not includes this solution.
Good thing is that all those dependencies that use ansi-regex are only used at build time at Tracetest, so this should not affect our end users.

If there is anything else you see missing or would like to see on Tracetest, please do not hesitate in contacting us.
We are actively available on the Discord channel

[iblancasa]

Hi @cescoferraro, I see…
How about adding ansi-regex 4.1.1 to the dependencies in the meantime?

[cescoferraro]

@iblancasa good idea. Although it would solve @types/jest version, cause the newly installed version would dedup [email protected]
This would not solve the issue on @storybook/react that would still use version 2.1.1. Which is also compromised.