Uploaded image for project: 'MetaBrainz Sec Management'
  1. MetaBrainz Sec Management
  2. SEC-462

[listenbrainz-server] CVE-2021-3807: ansi-regex < 6.0.1

    • Icon: Task Task
    • Resolution: Won't Fix
    • Icon: Normal Normal
    • LB
    • None
    • 1,436,810,009

      CVE-2021-3807 affects package ansi-regex < 6.0.1 which metabrainz/listenbrainz-server depends on.

      Please self-assign this ticket and check metabrainz/listenbrainz-server alerts, then:

      • Dismiss the corresponding alert in GitHub if there is a valid reason (patch in progress, no bandwidth, tolerable risk, inaccurate alert, or unused code) for.
      • Create a new ticket in the affected JIRA project, link it to this ticket (do not move this ticket to another project), and address that new ticket.

      In both case, GitHub Bot will close this ticket for you, except if you backport a patch on a vulnerable dependency.

      This ticket has been created by SEC automation.

          [SEC-462] [listenbrainz-server] CVE-2021-3807: ansi-regex < 6.0.1

          amCap1712 added a comment -

          The transitive deps have been unmaintained for years and are unlikely to be updated either. As far as I understand, the deps are only used at dev time so closing without fix.

          amCap1712 added a comment - The transitive deps have been unmaintained for years and are unlikely to be updated either. As far as I understand, the deps are only used at dev time so closing without fix.

            kartik1712 amCap1712
            github-bot GitHub Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Version Package