New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webpack-dev-server vulnerability #13342
Comments
I guess it will be fixed in next release #13277 |
I’ll back port the fix to the patch branch later on today |
updating to version 3.1.14 may not work, as per webpack/webpack-dev-server#1615 |
Actually, upgrading to 3.1.14 might work, if the typo in the vulnerability database had been fixed: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4 |
Thanks @Diaan for your input. |
I am also getting the Missing Origin Validation vulnerability. Steps to reproduce:
Notice the different
|
` npm audit
High Missing Origin Validation
|
@alan-agius4 I am really surprised that this isn't being addressed quicker. It impacts every single person using |
Just coming in late to this thread.
If I read the vulnerability correctly, it only affects people doing HMR, and having a server listening on something too permissive (we default to localhost), right? This is far from "every single person". That being said, we should still fix it. In general though, I would avoid hyperboles when it comes to security. NPM audit is known to be crying wolf a bit. |
@hansl
After reading the details of what is presumed to be the issue, a typo, I agree and stated in my post that from a security perspective it isn't a huge deal (in an effort to avoid hyperbole), but it took me some digging to make that determination myself. Wouldn't you want a clean install of @angular-devkit/build-angular ? So, yes, it is every single person that installs @angular-devkit/build-angular will see that audit error. We can debate the validity of Feel free to correct me if I am wrong. |
+1 |
@hansl |
@mjknight50, Yes, we do agree that this should be addressed, and as a mater of fact there is a PR in the merge queue and it will be released earlier next week. While the audit message is shown to everybody the vulnerability itself only impacts a small group of people, and hence cutting a release late in the week for this week had a small benefit with a high risk. |
+1 waiting for fix |
1 similar comment
+1 waiting for fix |
The problem is that everybody who sees this error and cares about his projects has to spend the time to find out what's going on. Took me "only" 20..30 minutes, but could be better spent. |
+1 waiting for fix |
Spamming „+1 waiting for fix“ does not speed up the process 🤨 |
But adding +1 might increase your bug frequency label from 'low' to 'high' :) |
we are getting emails from GitHub to fix vulnerabilities in our angular repos |
Hey everyone, in the tomorrow's release we'll publish this fix. The update will be available in 7.1.5. You can follow the releases page (preferably) for updates or twitter. |
Closed via |
FYI, Angular CLI LTS release already introduced this security fix https://github.com/angular/angular-cli/releases/tag/v6.2.9. |
from https://angular.io/guide/releases
so from what i understand the active should have more updates and patches than the LTS (because they will fix a bug even if its not critical), but all will have security patches there is nothing saying if you want the most secure angular project don't go with the active and stay with LTS |
it seems that the issue is still in the 7.2.0 release? |
@alan-agius4 @filipesilva this fix is not included in the 7.2.0 |
@Teamop, @alan-agius4 , @filipesilva Edited to confirm that this was not included in the release. |
why is this issue still in 7.2.0? |
@ChristopherKiss That compare shows the changes between v7.2.0 and master right? If I am not mistaken this means changes in master after the v7.2.0 tag. It seems like it was not included to v7.2.0. |
My apologies, you are correct, I misread the link on the releases page. It was not included in 7.2. |
Hi all, we're looking at why this wasn't included in the 7.2 release and will probably do a new release with it later today. |
Not fixed in 7.2.x. 😥 |
+1 |
Thank you @filipesilva |
|
@michaelsanford you can simply run
|
…re updated to fix the webpack-dev-server vulnerability as it is described in angular/angular-cli#13342 (comment) and angular/angular-cli#13342 (comment).
Versions of @angular-devkit/build-angular and @angular/compiler-cli are updated to fix the webpack-dev-server vulnerability as it is described in angular/angular-cli#13342 (comment) and angular/angular-cli#13342 (comment).
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Bug Report or Feature Request (mark with an
x
)Command (mark with an
x
)Versions
node: 10.14.2
npm: 6.4.1
Repro steps
npm install
The log given by the failure
https://nodesecurity.io/advisories/725
The text was updated successfully, but these errors were encountered: