Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Denial of Service (DoS) vulnerability introduced by a nested dependency (WS) of @nx/angular #27310

Closed
1 of 4 tasks
R-Lek opened this issue Aug 6, 2024 · 2 comments · Fixed by #27375
Closed
1 of 4 tasks

Denial of Service (DoS) vulnerability introduced by a nested dependency (WS) of @nx/angular #27310

R-Lek opened this issue Aug 6, 2024 · 2 comments · Fixed by #27375
Assignees
@Coly010
Labels
outdated scope: angular Issues related to Angular support in Nx type: bug

Comments

@R-Lek
Copy link

R-Lek commented Aug 6, 2024
edited
Loading

Current Behavior

Apologies beforehand if this matter has already been resolved, but I've looked far and wide and failed to find it if it has.

WS, a nested dependency of @nx/angular, introduced a DoS vulnerability in version ws@8.17.0: GHSA-3h5v-q93c-6h6q

  • We first encountered this when we updated our application a few months ago to @nx/angular@19.0.1 and received a Snyk warning: https://security.snyk.io/vuln/SNYK-JS-WS-7266574
  • The nested dependency tree turned out to be the following:
    @nx/angular@19.0.1 › @nx/webpack@19.0.1 › webpack-dev-server@4.15.1 › ws@8.17.0

It appears that 2 weeks ago webpack-dev-server resolved the issue in their latest version 5.0.4:
webpack/webpack-dev-server#5241
package.json v5.0.4

However, as far as I can tell the latest version of @nx/angular (19.5.6) does not make use of this version yet in the above mentioned nested dependency tree.

Expected Behavior

No DoS vulnerability issues raised by nested dependency of @nx/angular

Suggestion

Make use of WS version @8.17.1 (or higher) in nested dependencies, since the vulnerability issue was resolved by that version

GitHub Repo

No response

Steps to Reproduce

  1. Have @nx/angular as a dependency in your project
  2. Make use of Snyk to be informed about the vulnerability

Nx Report

Node   : 20.12.2
OS     : darwin-arm64
npm    : 10.5.0

nx                 : 19.3.0
@nx/js             : 19.3.0
@nx/jest           : 19.3.0
@nx/linter         : 19.3.0
@nx/eslint         : 19.3.0
@nx/workspace      : 19.3.0
@nx/angular        : 19.3.0
@nx/cypress        : 19.3.0
@nx/devkit         : 19.3.0
@nx/esbuild        : 19.3.0
@nx/eslint-plugin  : 19.3.0
@nx/node           : 19.3.0
@nx/plugin         : 19.3.0
@nx/storybook      : 19.3.0
@nrwl/tao          : 19.3.0
@nx/web            : 19.3.0
@nx/webpack        : 19.3.0
typescript         : 5.4.5
---------------------------------------
Registered Plugins:
@nx/eslint/plugin
---------------------------------------
Community plugins:
@compodoc/compodoc   : 1.1.24
@ngrx/effects        : 17.2.0
@ngrx/entity         : 17.2.0
@ngrx/router-store   : 17.2.0
@ngrx/schematics     : 17.2.0
@ngrx/signals        : 17.2.0
@ngrx/store          : 17.2.0
@ngrx/store-devtools : 17.2.0
@storybook/angular   : 8.1.7
ng-mocks             : 14.13.0
ngx-toastr           : 18.0.0
---------------------------------------
Local workspace plugins:
	 @fl/tools

Failure Logs

No response

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

No response
@R-Lek R-Lek added the type: bug label Aug 6, 2024
@FrozenPandaz FrozenPandaz added the scope: angular Issues related to Angular support in Nx label Aug 9, 2024
Coly010 added a commit that referenced this issue Aug 12, 2024
@Coly010
fix(webpack): bump webpack-dev-server to 5.0.4 #27310

Verified

This commit was signed with the committer’s verified signature.
thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C
Verified
Learn about vigilant mode
Loading
Loading status checks…
3dce82e
@Coly010 Coly010 mentioned this issue Aug 12, 2024
Merged
jaysoo pushed a commit that referenced this issue Aug 12, 2024
@Coly010
fix(webpack): bump webpack-dev-server to 5.0.4 #27310 (#27375)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
69fac03 
<!-- Please make sure you have read the submission guidelines before
posting an PR -->
<!--
https://github.com/nrwl/nx/blob/master/CONTRIBUTING.md#-submitting-a-pr
-->

<!-- Please make sure that your commit message follows our format -->
<!-- Example: `fix(nx): must begin with lowercase` -->

<!-- If this is a particularly complex change or feature addition, you
can request a dedicated Nx release for this pull request branch. Mention
someone from the Nx team or the `@nrwl/nx-pipelines-reviewers` and they
will confirm if the PR warrants its own release for testing purposes,
and generate it for you if appropriate. -->

## Current Behavior
<!-- This is the behavior we have today -->
`webpack-dev-server` dependency is not up to date.


## Expected Behavior
<!-- This is the behavior we should expect with the changes in this PR
-->
`webpack-dev-server` dependency is up to date

## Related Issue(s)
<!-- Please link the issue being fixed so it gets closed when this is
merged. -->

Fixes #27310
@R-Lek
Copy link
Author

R-Lek commented Aug 13, 2024

Thx!

@github-actions GitHub Actions
Copy link

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Coly010 Coly010

Labels
outdated scope: angular Issues related to Angular support in Nx type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(webpack): bump webpack-dev-server to 5.0.4 #27310 nrwl/nx
3 participants
@FrozenPandaz @Coly010 @R-Lek