Can ansi-html dependency be shifted to ansi-html-community to address advisory?

[lupestro]

ansi-html has a high priority advisory against it for uncontrolled resource consumption and has had no new versions since 2017 and no response from the author. ansi-html-community is a fork of it that issued a 0.0.8 release in early September to address the issue. See PR on the original repo. Can the dependency be shifted to the fork?

[ohsnapitscolin]

It looks like the PR above has been merged and a new version of ansi-html has been released. Can the ansi-html dependency in this repo be updated to use the new version?

[gorner]

Reposting a comment from the above-linked PR as a PSA for anyone this still affects:

Unfortunately this project seems to have remained dormant as the Ember community has shifted their focus to building out Embroider as the eventual replacement for Broccoli.

For now I would recommend specifying the updated version as an override in your package.json. Assuming you're using NPM, this would be:

"overrides": {
  "ansi-html": "^0.0.8"
}

(If you're using Yarn, use "resolutions" instead of "overrides".)