Skip to content

ng new: 4 moderate severity vulnerabilities #26442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
codeandcloud opened this issue Nov 21, 2023 · 2 comments
Closed
1 task done

ng new: 4 moderate severity vulnerabilities #26442

codeandcloud opened this issue Nov 21, 2023 · 2 comments

Comments

@codeandcloud
Copy link

Command

new

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

16.x

Description

Setup and Environment

Angular CLI: 17.0.2
Node: 20.9.0
Package Manager: npm 10.1.0
OS: win32 x64

Steps

  1. ng new test
  2. Which stylesheet format would you like to use? SCSS
  3. Do you want to enable Server-Side Rendering (SSR) and Static Site Generation (SSG/Prerendering)? No

Now navigate to the project folder and npm install. It gives the output

up to date, audited 988 packages in 9s

119 packages are looking for funding
run npm fund for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Running npm audit gives

npm audit report

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
browser-sync >=2.24.0-rc1
Depends on vulnerable versions of localtunnel
node_modules/browser-sync
@angular-devkit/build-angular >=17.0.0-next.0
Depends on vulnerable versions of browser-sync
node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Minimal Reproduction

  1. ng new [project-name]
  2. Which stylesheet format would you like to use? SCSS
  3. Do you want to enable Server-Side Rendering (SSR) and Static Site Generation (SSG/Prerendering)? No
  4. cd [project-name]
  5. npm install
  6. npm audit

Exception or Error

No response

Your Environment

Angular CLI: 17.0.2
Node: 20.9.0
Package Manager: npm 10.1.0
OS: win32 x64

Angular:
...

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.1700.2 (cli-only)
@angular-devkit/core         17.0.2 (cli-only)
@angular-devkit/schematics   17.0.2 (cli-only)
@schematics/angular          17.0.2 (cli-only)

Anything else relevant?

No response
@alan-agius4
Copy link
Collaborator

Duplicate of #26349

@alan-agius4 alan-agius4 marked this as a duplicate of #26349 Nov 21, 2023
@alan-agius4 alan-agius4 closed this as not planned Won't fix, can't repro, duplicate, stale Nov 21, 2023
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Dec 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codeandcloud @alan-agius4