Hi, would it be possible to accept a PR to address security vulnerabilities in ansi-html library: Security Vulnerability: ansi-html@0.0.7 · Issue #56 · ember-cli/broccoli-middleware · GitHub
Could you update the broccoli-middleware project ? There is no real activity in the last couple of years.
Thank you, Jan
Hi. Just as a disclaimer, I am not part of the Ember-CLI team, just trying to help as one of the many people here working on apps in the Ember ecosystem.
My understanding is that Broccoli, broccoli-middleware, and other packages of that type have indeed gone dormant over the past couple of years the Ember community has shifted their focus to building out Embroider as the eventual replacement for Broccoli.
My quick review of how Broccoli and broccoli-middleware use ansi-html suggest it would only be a realistic concern if you are using Broccoli / Ember-CLI to serve your live production server. The much more common case is building assets for deploy, in which case the only data you’re feeding into ansi-html would be content you control (and even then it seems to be used mainly for rendering error data).
That said, I know some companies are sticklers about this sort of thing. If you still need to apply this fix, you should use npm overrides (or the equivalents for other package managers) in your package.json file:
"overrides": {
"ansi-html": "^0.0.9"
}
We have used a similar setup in our app for the past several months without concern.
Hi, thanks for the tip. Eventually, we’ve used the package manager resolution (Selective dependency resolutions | Yarn) to apply latest version of ansi-html library. Does it make sense to use Embroider for the build pipeline right now ? Is it production ready ? Or should we wait for official process, when it becomes part of EmberCLI ?
Is there an example how to migrate from Brocolli to Embroider ?
Thank you, Jan
@JanEaton I can point you to the “How to try it” section of the Embroider readme, but I haven’t really tried it with the app I work on yet.
From that same readme: “Several large, heavily-tested Ember apps are shipping to production with Embroider.” If that’s correct (and I have no reason to doubt it), the risk of switching now should be relatively low.
However even if you switch to an Embroider build, Broccoli (and therefore ansi-html) will still be installed as dependencies of Ember-CLI for some time to come, until Broccoli support is removed. So I wouldn’t (yet) switch to Embroider just to try to remove ansi-html from your build tree.