Angular CLI 12 generates a project with 35 npm vulnerabilities

[StefanNedelchev]

After installing the latest CLI (v12) I decided to generate a clean new project to see what's different and what's being generated. Unfortunately I found out that the generated project has 35 severity vulnerabilities in the npm packages right off the bat. The vulnerabilities are not critical but they can't be resolved automatically using npm audit fix. The audit report shows all the vulnerabilities in the following way:

Moderate        Regular Expression Denial of Service

Package         postcss

Patched in      >=8.2.10

Dependency of   @angular-devkit/build-angular [dev]

Path            @angular-devkit/build-angular > postcss-preset-env >
                    autoprefixer > postcss

I hope that I reported the issue in the correct repository.

[alan-agius4]

Blocked on csstools/postcss-preset-env#191

[crooksey]

Probably the best place for this, with the current postcss-present-env package @angular-devkit/build-angular is also using PostCSS v7 and v8, which has its own errors:

Unknown error from PostCSS plugin. Your current PostCSS version is 8.2.14, but postcss-preset-env uses 7.0.35. Perhaps this is the source of the error below.

When running the following command:

npm ls postcss 

I can see that postCSS V8 is used in:

• css-loader@5.2.4
• cssnano@5.0.2
• postcss-import@14.0.1
• postcss-loader@5.2.0

Then the following dependencies use V7:

• postcss-preset-env@6.7.0

[hfournier]

Seeing the same thing in Angular 11.2.14 project, but following a different path to postcss:

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   @angular-devkit/build-angular [dev]                           

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss  

  More info       https://npmjs.com/advisories/1693     

running npm ls postcss, I get:

+-- @angular-devkit/build-angular@0.1102.13
| +-- css-loader@5.0.1
| | `-- postcss@8.2.14  deduped
| +-- postcss@8.2.14
| `-- resolve-url-loader@4.0.0
|   `-- postcss@7.0.35
+-- netlify-cli@3.31.16
| `-- @netlify/zip-it-and-ship-it@4.2.1
|   `-- precinct@6.3.1
|     `-- detective-postcss@3.0.1
|       `-- postcss@7.0.35
`-- netlify-schematics@3.2.0
  `-- netlify-cli@2.71.0
    `-- @netlify/zip-it-and-ship-it@2.7.1
      `-- precinct@6.3.1
        `-- detective-postcss@3.0.1
          `-- postcss@7.0.35

[jimmyengman]

I have updated a project to angular 12.0.1 and when running npm ls postcss I get the same result as @crooksey with the addition that also resolve-url-loader@4.0.0 uses postcss@7.0.35

The following dependencies use V7:

• postcss-preset-env@6.7.0
• resolve-url-loader@4.0.0

[crooksey]

@jimmyengman you shouldn't need resolve-url-loader now as it is a dependency of @angular-devkit/build-angular@12.0.1 but upgrading postcss-preset-env is something I am also looking into to see if I can help with some PR's etc to bring it inline with V8.

[pascalm19]

@angular-devkit/build-angular version 0.1102.14
A yarn audit returns that it has 3 vulnerabilities: 2 moderate | 1 high
glob-parent : Patched in >=5.1.2
postcss : Patched in >=8.2.10
css-what : Patched in >=5.0.1

[SymbioticKilla]

glob-parent: #21097

css-what:

• Discussion: "High" Severity Audit from dependency css-select and css-what svg/svgo#1488
• PR: Upgrade css-select from ^3.1.2 to ^4.1.3 svg/svgo#1485
• Information that there will be no fix in v4: fix(parse): Hand-roll attribute parsing fb55/css-what#503

postcss: bholloway/resolve-url-loader#198

[alan-agius4]

Closing as the original reported issue should be addressed now since postcss released a security fix in 7.0.36.

More info: https://npmjs.com/advisories/1693

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}