NPM audit failure - @angular/compiler-cli v7.2.5

[mboughaba]

=== npm audit security report ===

                             Manual Review                                  

         Some vulnerabilities require your attention to resolve             

                                                                            

      Visit https://go.npm.me/audit-guide for additional guidance           

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of @angular/compiler-cli [dev]

Path @angular/compiler-cli > chokidar > anymatch > micromatch > braces

More info https://nodesecurity.io/advisories/786

[jtneal]

@angular/compiler-cli > chokidar > anymatch > micromatch > braces

All these packages are already patched in their latest versions. Angular is on an older version of chokidar (1.x) which uses anymatch 1.x which uses micromatch 2.x which uses braces 1.x.

If Angular can update to chokdar 2.x, this issue would be resolved, but I don't know what kind of breaking changes that might introduce (I'm not familiar with any of these packages).

[perrosen]

Would be great if this update can be added to the Angular 6 version. We are sadly unable to upgrade to 7 because of some project dependencies.

[abhimanu-rathi]

facing the same issue

│ Low │ Regular Expression Denial of Service │
│ Package │ braces │
│ Patched in │ >=2.3.1 │
│ Dependency of │ @angular/compiler-cli [dev] │
│ Path │ @angular/compiler-cli > chokidar > anymatch > micromatch > │
│ braces │
│ More info │ https://npmjs.com/advisories/786 │

[vladimiry]

I understand that forcing some modules that require v1.x use v2.x is a hack but I have pinned braces to 2.x just recently in order to tackle the issue and @angular/compiler-cli seems to work well with braces@2.x. I don't use the complete Angular CLI thing though but only @angular/compiler-cli module directly with custom webpack config.

[Adam-Kernig]

I understand that forcing some modules that require v1.x use v2.x is a hack but I have pinned braces to 2.x just recently in order to tackle the issue and @angular/compiler-cli seems to work well with braces@2.x. I don't use the complete Angular CLI thing though but only @angular/compiler-cli module directly with custom webpack config.

Just to try this change, I am seeing no changes in a fresh

npm i

With the package.json changes

[Adam-Kernig]

After investigating and pulling multiple requests to the dependancy change, looks like Chokidar needs to be updated to a more recent version, which has the depd fixes in

[vladimiry]

Just to try this change, I am seeing no changes in a fresh

The pinning I applied works for yarn only, not the npm. Besides, there is a need to regenerate the lock file.

[railsstudent]

I am still getting audit failure, how can I solve it?
Steps:
npm i
npm audit fix

Thanks.

[mboughaba]

@railsstudent the fix is not yet released.
@pkozlowski-opensource would it be possible to provide a target date and target angular version?

[Adam-Kernig]

Also confirmed, its been merged to master but no launch, this shouldn't be closed.

[gkalpak]

The fix has been merged to both master and 7.2.x. It will be included in the next releases.
Not sure when exactly, but releases typically happen every week (or so).

[vladimiry]

v7.2.6. has just been released with the fix included.

[iconio]

I've updated everything and instead of 2 errors now I'm getting one.

Am I missing something?

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > expand-braces > braces                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Here is my system info:

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 7.3.2
Node: 8.14.0
OS: darwin x64
Angular: 7.2.6
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.13.2
@angular-devkit/build-angular     0.13.2
@angular-devkit/build-optimizer   0.13.2
@angular-devkit/build-webpack     0.13.2
@angular-devkit/core              7.3.2
@angular-devkit/schematics        7.3.2
@angular/cli                      7.3.2
@angular/fire                     5.1.1
@ngtools/webpack                  7.3.2
@schematics/angular               7.3.2
@schematics/update                0.13.2
rxjs                              6.4.0
typescript                        3.2.4
webpack                           4.29.0

Also ran the ng update command and I got this:

We analyzed your package.json and everything seems to be in order. Good work!

[vladimiry]

@iconio karma-runner/karma#3269 The workaround for yarn users is simple, pinning braces@2.x.

[Adam-Kernig]

@iconio Karma are also going through the release process also for this on v4, please hop over to their branch and look at the brace release for it, it's been moved into master but not deployed

[iconio]

Hey @vladimiry and @Adam-Kernig thanks!

[cgds188]

Can we expect the same fix for v5-lts version?

[gkalpak]

@cgds188, yes, the plan is to backport this to the active LTS branches (i.e. 5.x and 6.x).

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}