webpack-dev-server vulnerability

[markgoho]

Bug Report or Feature Request (mark with an x)

- [X] bug report -> please search issues before submitting
- [ ] feature request

Command (mark with an x)

- [ ] new
- [ ] build
- [ ] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [ ] add
- [ ] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc
- [X] dependencies

Versions

node: 10.14.2
npm: 6.4.1

Angular CLI: 7.1.4
Node: 10.14.2
OS: win32 x64
Angular: 7.1.4
@angular-devkit/architect         0.10.7
@angular-devkit/build-angular     0.11.4
@angular-devkit/build-optimizer   0.11.4
@angular-devkit/build-webpack     0.10.7
@angular-devkit/core              7.0.7
@angular-devkit/schematics        7.1.4
@ngtools/webpack                  7.1.4
@schematics/angular               7.1.4
@schematics/update                0.11.4
rxjs                              6.3.3
typescript                        3.1.6
webpack                           4.19.1
--

Repro steps

npm install

The log given by the failure

=== npm audit security report ===                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High            Missing Origin Validation
Package         webpack-dev-server
Patched in      >=3.1.11
Dependency of   @angular-devkit/build-angular [dev]
Path            @angular-devkit/build-angular > webpack-dev-server
More info       https://nodesecurity.io/advisories/725
found 1 high severity vulnerability in 78596 scanned packages
1 vulnerability requires manual review. See the full report for details.
--

https://nodesecurity.io/advisories/725

[L2jLiga]

I guess it will be fixed in next release #13277

[alan-agius4]

I’ll back port the fix to the patch branch later on today

[charlesfaustin]

updating to version 3.1.14 may not work, as per webpack/webpack-dev-server#1615

[Diaan]

Actually, upgrading to 3.1.14 might work, if the typo in the vulnerability database had been fixed: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

[alan-agius4]

Thanks @Diaan for your input.

[RandyDaddis]

I am also getting the Missing Origin Validation vulnerability.

Steps to reproduce:

npm uninstall -g @angular/cli
npm cache verify

npm install -g @angular/cli
npm cache verify

cd c:\src
c:\src>ng new spa

? Would you like to add Angular routing? Yes
? Which stylesheet format would you like to use? SCSS   [ http://sass-lang.com   ]

added 1133 packages from 1180 contributors and audited 40178 packages in 41.531s
found 1 high severity vulnerability

c:\src >cd spa
c:\src\spa>npm audit

                  === npm audit security report ===
                            Manual Review
       Some vulnerabilities require your attention to resolve
   Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server
More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 40178 scanned packages
1 vulnerability requires manual review. See the full report for details.

c:\src\spa>npm audit fix

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 5.196s
fixed 0 of 1 vulnerability in 40178 scanned packages
1 vulnerability required manual review and could not be updated

c:\src\spa>npm install webpack-dev-server --save-dev

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

• webpack-dev-server@3.1.14
  added 39 packages from 17 contributors, updated 4 packages and audited 43619 packages in 10.377s
  found 1 high severity vulnerability
  run npm audit fix to fix them, or npm audit for details

c:\src\spa>npm audit

                  === npm audit security report ===
                            Manual Review
       Some vulnerabilities require your attention to resolve
     Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server
More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 43619 scanned packages
1 vulnerability requires manual review. See the full report for details.

c:\src\spa>ng update

We analyzed your package.json and everything seems to be in order. Good work!

Notice the different webpack and webpack-dev-server dependencies:

C:\src\spa\node_modules@angular-devkit\build-angular\package.json

{
  "_from": "@angular-devkit/build-angular@~0.11.0",
  "_id": "@angular-devkit/build-angular@0.11.4",
  "dependencies": {
    "webpack": "4.23.1",
    "webpack-dev-server": "3.1.10",
  },
}

C:\src\spa\node_modules@angular-devkit\build-webpack\package.json

{
  "_from": "@angular-devkit/build-webpack@0.11.4",
  "_id": "@angular-devkit/build-webpack@0.11.4",
  "peerDependencies": {
    "webpack": "^4.6.0",
    "webpack-dev-server": "^3.1.4"
  },
}

C:\src\spa\node_modules\webpack-dev-server\package.json

{
  "_from": "webpack-dev-server@3.1.10",
  "_id": "webpack-dev-server@3.1.10",
  "peerDependencies": {
    "webpack": "^4.0.0"
  },
}

[https://github.com/angular/angular-cli/blob/master/packages/angular_devkit/build_angular/package.json]
(updated 7 days ago)

{
  "name": "@angular-devkit/build-angular",
  "dependencies": {
    "webpack-dev-server": "3.1.14"
  },
}

[https://www.npmjs.com/package/@angular-devkit/build-angular]
(published 14 days ago)

Do you have an ETA for updating the npm package?

cref:
https://nodesecurity.io/advisories/725
https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/9
facebook/create-react-app#6109

[Rajsekar89]

Am getting this same error.

` npm audit
=== npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of @angular-devkit/build-angular
Path @angular-devkit/build-angular > webpack-dev-server
More info https://nodesecurity.io/advisories/725`

please let me know if there any patch update for the devkit or it transient webpack

[mjknight50]

@alan-agius4 I am really surprised that this isn't being addressed quicker.

It impacts every single person using @angular-devkit/build-angular
The frequency isn't low, it is high.
While it may be a false positive in terms of the actual security risk (just a typo), it is clearly an issue for those trying use npm audit in their build pipeline.

[hansl]

Just coming in late to this thread.

It impacts every single person using @angular-devkit/build-angular

If I read the vulnerability correctly, it only affects people doing HMR, and having a server listening on something too permissive (we default to localhost), right? This is far from "every single person".

That being said, we should still fix it. In general though, I would avoid hyperboles when it comes to security. NPM audit is known to be crying wolf a bit.

[mjknight50]

@hansl npm audit throws a big red flag for anyone who installs @angular-devkit/build-angular

 npm install @angular-devkit/build-angular
+ @angular-devkit/build-angular@0.11.4
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

After reading the details of what is presumed to be the issue, a typo, I agree and stated in my post that from a security perspective it isn't a huge deal (in an effort to avoid hyperbole), but it took me some digging to make that determination myself. Wouldn't you want a clean install of @angular-devkit/build-angular ?

So, yes, it is every single person that installs @angular-devkit/build-angular will see that audit error. We can debate the validity of npm audit but the high severity vulnerability message displays to everyone.

Feel free to correct me if I am wrong.

[ShahanaFarooqui]

+1

[peterennis]

@hansl
I get this alert now in 5 of my angular project.
This PR and comment provides information on likely fix "next Wednesday" #13347 (comment)

[alan-agius4]

@mjknight50, Yes, we do agree that this should be addressed, and as a mater of fact there is a PR in the merge queue and it will be released earlier next week.

While the audit message is shown to everybody the vulnerability itself only impacts a small group of people, and hence cutting a release late in the week for this week had a small benefit with a high risk.

[austenstone]

+1 waiting for fix

[paul58914080]

+1 waiting for fix

[Knacktus]

The problem is that everybody who sees this error and cares about his projects has to spend the time to find out what's going on. Took me "only" 20..30 minutes, but could be better spent.

[ohager]

+1 waiting for fix

[Atomzwieback]

Spamming „+1 waiting for fix“ does not speed up the process 🤨

[ShahanaFarooqui]

But adding +1 might increase your bug frequency label from 'low' to 'high' :)

[robertIsaac]

we are getting emails from GitHub to fix vulnerabilities in our angular repos
this is very annoying and cause waste of time for every angular developer because there is no solution yet
from what i read i understand it has low freq (as standalone attack) but nowadays its rarely for cyber attack to use just one vulnerability, but usually its a sophisticated attack using multiple vulnerabilities
so you had better better fix it asap

[mgechev]

Hey everyone, in the tomorrow's release we'll publish this fix. The update will be available in 7.1.5.

You can follow the releases page (preferably) for updates or twitter.

[alan-agius4]

Closed via
aeff0fb

[mgechev]

FYI, Angular CLI LTS release already introduced this security fix https://github.com/angular/angular-cli/releases/tag/v6.2.9.

[robertIsaac]

FYI, Angular CLI LTS release already introduced this security fix https://github.com/angular/angular-cli/releases/tag/v6.2.9.

from https://angular.io/guide/releases

6 months of active support, during which regularly-scheduled updates and patches are released.

12 months of long-term support (LTS), during which only critical fixes and security patches are released.

so from what i understand the active should have more updates and patches than the LTS (because they will fix a bug even if its not critical), but all will have security patches

there is nothing saying if you want the most secure angular project don't go with the active and stay with LTS

[mindstorm]

it seems that the issue is still in the 7.2.0 release?

[Teamop]

@alan-agius4 @filipesilva this fix is not included in the 7.2.0

[christopher-kiss]

@Teamop, @alan-agius4 , @filipesilva

Edited to confirm that this was not included in the release.

[julianpoemp]

why is this issue still in 7.2.0?

[kelsos]

@ChristopherKiss That compare shows the changes between v7.2.0 and master right? If I am not mistaken this means changes in master after the v7.2.0 tag. It seems like it was not included to v7.2.0.

[christopher-kiss]

@kelsos,

My apologies, you are correct, I misread the link on the releases page.

It was not included in 7.2.

[filipesilva]

Hi all, we're looking at why this wasn't included in the 7.2 release and will probably do a new release with it later today.

[dawidrylko]

Not fixed in 7.2.x. 😥

[Jackesparta]

+1

[johnpapa]

Thank you @filipesilva

[filipesilva]

@angular/cli@7.2.1 and @angular-devkit/build-angular@0.12.1 are now released. Using these versions should remove the audit failure.

[athlonUA]

@michaelsanford you can simply run npm audit fix after ng update

athlon_ua @ ~/GitHub/project - [master] $ npm audit fix
+ @angular-devkit/build-angular@0.12.1
added 13 packages from 43 contributors, removed 1 package and updated 20 packages in 26.558s
fixed 1 of 1 vulnerability in 42333 scanned packages

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}