{"ecosystem":"npm","package":"ansi-regex","version":null,"bugs":[{"id":152,"ecosystem":"npm","package_name":"ansi-regex","affected_version":"6.0.0","fixed_version":"6.0.1","bug_id":"osv:GHSA-93q8-gq69-wqmw","title":"Inefficient Regular Expression Complexity in chalk/ansi-regex","description":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from 'ansi-regex';\nfor(var i = 1; i <= 50000; i++) {\n    var time = Date.now();\n    var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n    ansiRegex().test(attack_str)\n    var time_cost = Date.now() - time;\n    console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#&.:=?%@~_]*)*`","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3807","labels":["CVE-2021-3807"],"created_at":"2026-04-19T04:30:31.364054+00:00","updated_at":"2026-04-19T04:30:31.364054+00:00"},{"id":159,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:6","title":"Can't match this string \"\\u001b[?1049h\\u001b[?1h\\u001b=\"","description":"\"man\" command in Linux will produce many escape codes. All of escape codes but this first string \"\\u001b[?1049h\\u001b[?1h\\u001b=\" can be matched by ansi-regex.\n\nI use strip-ansi to trim \"\\u001b[?1049h\\u001b[?1h\\u001b=\" ,and get this result \"\u001b[?1049h\u001b[?1h\u001b=\", not \"\".\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/6","labels":["bug","help wanted"],"created_at":"2026-04-19T04:30:32.203497+00:00","updated_at":"2026-04-19T04:30:32.203497+00:00"},{"id":158,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:19","title":"escape codes from `ansi-escapes` not being stripped by `strip-ansi`?","description":"Hey, thanks for this useful tool!\r\n\r\nIf I understand correctly, the following escape codes should be stripped by `strip-ansi`, right?\r\n\r\n```js\r\nconst esc = require('ansi-escapes')\r\nconst stripAnsi = require('strip-ansi')\r\n\r\nesc.scrollDown // '\\u001b[T'\r\nstripAnsi(esc.scrollDown) // '\\u001b[T'\r\nesc.beep // '\\u0007'\r\nstripAnsi(esc.beep) // '\\u0007'\r\n```\r\n\r\n`clearScreen` gets stripped though:\r\n\r\n```js\r\nesc.clearScreen // '\\u001bc'\r\nstripAnsi(esc.clearScreen) // ''\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/19","labels":["bug"],"created_at":"2026-04-19T04:30:32.203027+00:00","updated_at":"2026-04-19T04:30:32.203027+00:00"},{"id":157,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:21","title":"Set title mode escape codes not matched","description":"Hello, \r\n\r\naccording to links below, the following sequence instruct the terminal to set window  title and icon: \r\n```\r\n\\u001b]0;sg@tota:~/git/\\u0007\r\n```\r\nand strip-ansi is not removing it\r\n\r\nIn other words I expect \r\n\r\n```\r\nstripAnsi('\\u001b]0;sg@tota:~/git/\\u0007\\u001b[01;32m[sg@tota\\u001b[01;37m misc-tests\\u001b[01;32m]$') \r\n```\r\nto return the string:\r\n\r\n```\r\n[sg@tota misc-tests]$\r\n```\r\nThis is very common in xterm based linux stdout to print the prompt. Thanks BTW this is great project! keep it up! \r\n\r\nReferences: \r\nhttp://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h2-Title-Modes\r\nhttps://unix.stackexchange.com/questions/288996/what-u001b0kubajcubic-u0007-escape-code-do\r\n\r\nfailing test PR https://github.com/chalk/ansi-regex/pull/22/files","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/21","labels":["bug","help wanted"],"created_at":"2026-04-19T04:30:32.202277+00:00","updated_at":"2026-04-19T04:30:32.202277+00:00"},{"id":156,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:28","title":"Does not work on terminal-link","description":"This bug only appears on `iTerm 2`.\r\n\r\n### How to reproduce\r\n\r\n```javascript\r\nconst terminalLink = require('terminal-link');\r\nconst stripAnsi = require('strip-ansi');\r\n\r\nconst link = terminalLink('click', 'https://github.com', {fallback: text => text});\r\n\r\nconsole.log(stripAnsi(link));\r\n```\r\n\r\n### Expected ouput\r\n\r\n```\r\nclick\r\n```\r\n\r\n### Actual output\r\n\r\n```\r\nttps://github.com/sindresorhusclick\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/28","labels":["bug","help wanted"],"created_at":"2026-04-19T04:30:32.201811+00:00","updated_at":"2026-04-19T04:30:32.201811+00:00"},{"id":155,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:36","title":"Can't match cursorSave and cursorRestore","description":"Today I was working with the regex and noticed that [`cursorSave`](https://github.com/sindresorhus/ansi-escapes/blob/main/index.js#L49) and [`cursorRestore` ](https://github.com/sindresorhus/ansi-escapes/blob/main/index.js#L50) don't get stripped with `strip-ansi`.\r\n\r\nI didn't check the other use cases yet, but wanted to make sure first that it is correct what I assume here.\r\n\r\nIt is the case, happy to send a PR.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/36","labels":["bug","help wanted"],"created_at":"2026-04-19T04:30:32.201346+00:00","updated_at":"2026-04-19T04:30:32.201346+00:00"},{"id":154,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"github:57","title":"\"+\" in links breaks the regex","description":"The library breaks for ANSI links that include + characters:\r\n\r\nNo + characters:\r\n```js\r\n// you can generate this string via ansiEscapes.link(text, url) from the ansi-escapes npm lib\r\nlet str = \"\\u001b]8;;https://www.example.com/?q=hello\\u0007hello\\u001b]8;;\\u0007\";\r\nconsole.log(str.replace(ansiRegex(), ''));\r\n// expected: hello\r\n// observed: hello\r\n```\r\n\r\nWith + characters:\r\n```js\r\n// you can generate this string via ansiEscapes.link(text, url) from the ansi-escapes npm lib\r\nlet str = \"\\u001b]8;;https://www.example.com/?q=hello+world\\u0007hello\\u001b]8;;\\u0007\";\r\nconsole.log(str.replace(ansiRegex(), ''));\r\n// expected: hello\r\n// observed: ttps://www.example.com/?q=hello+worldhello\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/chalk/ansi-regex/issues/57","labels":["bug"],"created_at":"2026-04-19T04:30:32.200550+00:00","updated_at":"2026-04-19T04:30:32.200550+00:00"},{"id":153,"ecosystem":"npm","package_name":"ansi-regex","affected_version":null,"fixed_version":null,"bug_id":"osv:MAL-2025-46966","title":"Malicious code in ansi-regex (npm)","description":"The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","severity":"medium","status":"open","source":"osv","source_url":"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised","labels":["GHSA-jvhh-2m83-6w29"],"created_at":"2026-04-19T04:30:31.364917+00:00","updated_at":"2026-04-19T04:30:31.364917+00:00"}],"total":8,"_cache":"miss"}