strip-ansi to version ^6.0.1 to fix this vulnerability issue: https://www.npmjs.com/advisories/1004946.
I don't know how to test this, but would gladly help, if I can get a bit of guidance.
- According to https://github.com/chalk/strip-ansi/releases/tag/v6.0.0, upgrading to version 6 requires changing
import stripAnsi from 'strip-ansi';to
import stripAnsi = require('strip-ansi');. I did not make this change because VSCode only accepted the current syntax, and my experience is that VSCode is usually right about these things. 🙂
- I have updates to ^6.0.1 across all packages including the ones that already were on ^6.0.0 to align the version and to make it clear that v6.0.0 should be avoided.
- I have not upgrade to version 7 because that changes
strip-ansito the ESM syntax, and I am unsure if this would work.
yarn installdid not update
yarn.lock, so there are probably still some packages using the
strip-ansiin the older (and vulnerable) versions.
- The starters haven't been touched. Unsure if this is acceptable.
- This is a follow up to the discussion here: https://github.com/gatsbyjs/gatsby/discussions/28852