New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM audit failure - @angular/compiler-cli v7.2.5 #28771
Comments
All these packages are already patched in their latest versions. Angular is on an older version of chokidar (1.x) which uses anymatch 1.x which uses micromatch 2.x which uses braces 1.x. If Angular can update to chokdar 2.x, this issue would be resolved, but I don't know what kind of breaking changes that might introduce (I'm not familiar with any of these packages). |
Would be great if this update can be added to the Angular 6 version. We are sadly unable to upgrade to 7 because of some project dependencies. |
facing the same issue │ Low │ Regular Expression Denial of Service │ |
I understand that forcing some modules that require v1.x use v2.x is a hack but I have pinned |
Just to try this change, I am seeing no changes in a fresh
With the package.json changes |
After investigating and pulling multiple requests to the dependancy change, looks like Chokidar needs to be updated to a more recent version, which has the depd fixes in |
The pinning I applied works for yarn only, not the npm. Besides, there is a need to regenerate the lock file. |
I am still getting audit failure, how can I solve it? Thanks. |
@railsstudent the fix is not yet released. |
Also confirmed, its been merged to master but no launch, this shouldn't be closed. |
The fix has been merged to both master and 7.2.x. It will be included in the next releases. |
v7.2.6. has just been released with the fix included. |
I've updated everything and instead of 2 errors now I'm getting one. Am I missing something?
Here is my system info:
Also ran the
|
@iconio karma-runner/karma#3269 The workaround for yarn users is simple, pinning braces@2.x. |
@iconio Karma are also going through the release process also for this on v4, please hop over to their branch and look at the brace release for it, it's been moved into master but not deployed |
Hey @vladimiry and @Adam-Kernig thanks! |
Can we expect the same fix for v5-lts version? |
@cgds188, yes, the plan is to backport this to the active LTS branches (i.e. 5.x and 6.x). |
This is a backport of 745c9c5 to 6.1.x. Related to angular#28771.
This is a backport of 745c9c5 to 5.2.x. Related to angular#28771.
This is a backport of 745c9c5 to 5.2.x. Related to angular#28771.
This is a backport of 745c9c5 to 6.1.x. Related to angular#28771.
This is a backport of 745c9c5 to 6.1.x. Related to angular#28771.
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
=== npm audit security report ===
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of @angular/compiler-cli [dev]
Path @angular/compiler-cli > chokidar > anymatch > micromatch > braces
More info https://nodesecurity.io/advisories/786
The text was updated successfully, but these errors were encountered: