Overview
I am having trouble resolving a ReDoS vulnerability identified by npm audit
. My application has a nested sub-dependency ansi-html
that is vulnerable to attack, but unfortunately, it seems that the maintainers have gone AWOL. As you can see in the comments section of that Github issue, to get around this problem, the community has made a fork of the repo called ansi-html-community
located here, which addresses this vulnerability.
Thus, I would like to replace all nested references of ansi-html
with ansi-html-community
.
Problem
My normal strategy of using npm-force-resolutions
does not seem to be able to override nested sub-dependencies with a different package altogether but rather only the same packages that are a different version number. I have researched this for several hours, but unfortunately, the only way I have found to fix this would appear to be with yarn, which I am now seriously considering using instead of npm. However, this is not ideal as our entire CI/CD pipeline is configured to use npm.
Does anyone know of any other way to accomplish nested sub-dependency package substitution/resolution without having to switch over to using yarn?
Related Questions
These are questions of interest that I was able to find, but unfortunately, they tend to only discuss methods to override package version number, not the package itself.
Discusses how to override version number:
How do I override nested NPM dependency versions?
Has a comment discussion about npm shrinkwrap
(not ideal):
npm - how to override a dependent package's dependencies?
CSE Index of related StackOverflow questions:
CodePudding user response:
I figured it out. As of October 2021, the solution using npm-force-resolutions
is actually very similar to how you would specify it using yarn
. You just need to provide a link to the tarball where you would normally specify the overriding version number. Your resolutions section of package.json
should look like this:
"resolutions": {
"ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
}
To find the link to the tarball, use the following command, modifying your registry as necessary:
npm view ansi-html-community dist.tarball --registry=https://registry.npmjs.org/