Bug 2038298: Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807

[mturley]

See GHSA-93q8-gq69-wqmw for vulnerability details.

Affected versions	Patched versions
>= 6.0.0, < 6.0.1	6.0.1
>= 5.0.0, < 5.0.1	5.0.1
>= 4.0.0, < 4.1.1	4.1.1
>= 3.0.0, < 3.0.1	3.0.1

We depend on vulnerable versions ansi-regex@5.0.0, ansi-regex@4.1.0 and ansi-regex@3.0.0 via transitive dependencies of webpack-dev-server, node-sass, html-webpack-plugin, strip-ansi, pretty-format, yargs, cliui, wrap-ansi, wide-align and ansi-align (see yarn why output below).

This PR upgrades our lockfile to use the patched versions for each of these (3.0.1, 4.1.1, 5.0.1).

• The original fix in ansi-regex is here: Fix potential ReDoS chalk/ansi-regex#37
• The backport to ansi-regex@5.0.1 is documented here: https://github.com/chalk/ansi-regex/releases/tag/v5.0.1
• The backports to ansi-regex@4.1.1 and ansi-regex@3.0.1 are not documented on the ansi-regex releases page, but they can be seen on the release branches here and here, as supported by these versions being listed as patched on the advisory page.

Related BZs:

• 1.7.2: https://bugzilla.redhat.com/show_bug.cgi?id=2038298
• 1.6.5: https://bugzilla.redhat.com/show_bug.cgi?id=2013356
  • Backport: Bug 2013356: [Backport - 1.6.5] Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 #1411
• 1.5.5: No BZ yet
  • Backport: [Backport - 1.5.5] Upgrade deep dependency ansi-regex to 3.0.1, 4.1.1, 5.0.1 to address CVE-2021-3807 #1412

$ yarn why ansi-regex
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "ansi-regex"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "ansi-regex@2.1.1"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - Hoisted from "webpack-dev-server#strip-ansi#ansi-regex"
   - Hoisted from "node-sass#chalk#has-ansi#ansi-regex"
   - Hoisted from "node-sass#chalk#strip-ansi#ansi-regex"
   - Hoisted from "html-webpack-plugin#pretty-error#renderkid#strip-ansi#ansi-regex"
   - Hoisted from "node-sass#npmlog#gauge#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#ansi-regex@5.0.0"
info This module exists because "strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "pretty-format#ansi-regex@5.0.0"
info This module exists because "@types#jest#pretty-format" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "yargs#ansi-regex@4.1.0"
info Reasons this module exists
   - "yargs#string-width#strip-ansi" depends on it
   - Hoisted from "yargs#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cliui#ansi-regex@4.1.0"
info Reasons this module exists
   - "yargs#cliui#strip-ansi" depends on it
   - Hoisted from "yargs#cliui#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wrap-ansi#ansi-regex@4.1.0"
info Reasons this module exists
   - "yargs#cliui#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "yargs#cliui#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wide-align#ansi-regex@3.0.0"
info Reasons this module exists
   - "node-sass#npmlog#gauge#wide-align#string-width#strip-ansi" depends on it
   - Hoisted from "node-sass#npmlog#gauge#wide-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "ansi-align#ansi-regex@4.1.0"
info Reasons this module exists
   - "nodemon#update-notifier#boxen#ansi-align#string-width#strip-ansi" depends on it
   - Hoisted from "nodemon#update-notifier#boxen#ansi-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
✨  Done in 0.50s.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[rayfordj]

/lgtm

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug if created and valid.

[github-actions]

Unable to find bug with id: 2038298. Please make sure the bug is created and valid.