GHSA-8mgj-vmr8-frr6 lists incorrect dependencies * instead of v4.4.2

[hpierre74]

The Avidsory GHSA-8mgj-vmr8-frr6 is a wildcard while npm has removed the malicious dependency v4.4.2

debug-js/debug#1005
chalk/chalk#656

Unless I am missing something, previous versions seem unaffected.
Please update to unlock development pipelines of unaffected packages.

[marcalexiei]

This issue also appears to affect other packages mentioned in advisories published today.
I’ve opened an issue with all the information I was able to gather: #6099

[JonathanLEvans]

Thank you for bringing this to our attention! The version ranges in the advisories have been corrected. Please let us know if there are any more issues.

[nightvision04]

Thank you for bringing this to our attention! The version ranges in the advisories have been corrected. Please let us know if there are any more issues.

Hi @JonathanLEvans , I expect that npm audit returns:

color-string Vulnerable versions >=2.1.1 Patched versions <2.1.0

but currently we still get:

color-string Vulnerable versions >=0 Patched versions <0.0.0

This is breaking all of the production builds that currently have correctly downgraded but still relies on an npm audit step. When can we expect the npm vulnerabilities db to be updated/propogated?

Also being discussed: #6099