Skip to content

low risk security issues in ng new npm dependency graph #17642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 15 tasks
IgorMinar opened this issue May 5, 2020 · 2 comments · Fixed by #17725
Closed
1 of 15 tasks

low risk security issues in ng new npm dependency graph #17642

IgorMinar opened this issue May 5, 2020 · 2 comments · Fixed by #17725
Labels
area: @angular-devkit/build-angular freq3: high severity6: security type: bug/fix
Milestone
Backlog

Comments

@IgorMinar
Copy link
Contributor

🐞 Bug report

Command (mark with an x)

  • new
  • build
  • serve
  • test
  • e2e
  • generate
  • add
  • update
  • lint
  • xi18n
  • run
  • config
  • help
  • version
  • doc

Is this a regression?

No

Description

No

🔬 Minimal Reproduction

ng new foo
yarn audit / npm audit

🔥 Exception or Error


$ yarn audit
yarn audit v1.21.1
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > optimist > minimist                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ protractor                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ protractor > yargs > yargs-parser                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > webpack-dev-server > yargs > │
│               │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
3 vulnerabilities found - Packages audited: 16524
Severity: 3 Low

🌍 Your Environment


Angular CLI: 9.1.4
Node: 12.13.1
OS: darwin x64

Angular: 9.1.4
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router
Ivy Workspace: Yes

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.901.4
@angular-devkit/build-angular     0.901.4
@angular-devkit/build-optimizer   0.901.4
@angular-devkit/build-webpack     0.901.4
@angular-devkit/core              9.1.4
@angular-devkit/schematics        9.1.4
@angular/cdk                      9.2.2
@angular/material                 9.2.2
@ngtools/webpack                  9.1.4
@schematics/angular               9.1.4
@schematics/update                0.901.4
rxjs                              6.5.5
typescript                        3.8.3
webpack                           4.42.0

Anything else relevant?
@ngbot ngbot bot modified the milestone: needsTriage May 5, 2020
@ngbot ngbot bot modified the milestones: needsTriage, Backlog May 5, 2020
This was referenced May 13, 2020
Closed
Merged
Merged
filipesilva pushed a commit that referenced this issue May 15, 2020
@alan-agius4 @filipesilva
fix(@schematics/angular): address vulnerability in protractor
56bba34 
potractor <7 contains a low severity vulnerability due to one of its dependencies (yargs-parser)

See: https://npmjs.com/advisories/1500

Fixes #17642
filipesilva pushed a commit that referenced this issue May 15, 2020
@alan-agius4 @filipesilva
fix(@angular-devkit/build-angular): address vulnerability in webpack-…
408770d 
…dev-server

webpack-dev-server <3.11.0 and protractor <7 contains a low severity vulnerability due to one of its dependencies (yargs-parser)

See: https://npmjs.com/advisories/1500

Fixes #17642
filipesilva pushed a commit that referenced this issue May 15, 2020
@alan-agius4 @filipesilva
fix(@schematics/angular): address vulnerability in protractor
77e4059 
webpack-dev-server <3.11.0 and protractor <7 contains a low severity vulnerability due to one of its dependencies (yargs-parser)

See: https://npmjs.com/advisories/1500

Fixes #17642
This was referenced May 21, 2020
Closed
Closed
Closed
Merged
Merged
Merged
Merged
Closed
Closed
Merged
Merged
Merged
This was referenced Jun 1, 2020
Merged
Closed
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Merged
Closed
Closed
Merged
Closed
Closed
Merged
Merged
Merged
Merged
This was referenced Jun 7, 2020
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jun 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area: @angular-devkit/build-angular freq3: high severity6: security type: bug/fix
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

fix(@schematics/angular): address vulnerability in protractor
3 participants
@IgorMinar @elezar42 @alan-agius4