Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM audit Angular project found 36 vulnerabilities (35 moderate, 1 high) #5792

Closed
WCN-llc opened this issue May 26, 2021 · 6 comments
Closed

NPM audit Angular project found 36 vulnerabilities (35 moderate, 1 high) #5792

WCN-llc opened this issue May 26, 2021 · 6 comments
Assignees
@leosvelperez
Labels
outdated scope: angular Issues related to Angular support in Nx type: bug

Comments

@WCN-llc
Copy link

WCN-llc commented May 26, 2021

Current Behavior

Created the Angulyar project. Conducted an audit. Found 36 vulnerabilities (35 moderate, 1 high)

Expected Behavior

Expect the audit to find 0 vulnerabilities

Steps to Reproduce

Run npm audit

Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 autoprefixer > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 css-blank-pseudo > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 css-has-pseudo > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 css-prefers-color-scheme > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-attribute-case-insensitive > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-color-functional-notation > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-color-gray > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-color-hex-alpha > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-color-mod-function > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-color-rebeccapurple > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-custom-media > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-custom-properties > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-custom-selectors > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-dir-pseudo-class > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-double-position-gradients > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-env-function > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-focus-visible > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-focus-within > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-font-variant > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-gap-properties > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-image-set-function > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-initial > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-lab-function > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-logical > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-media-minmax > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-nesting > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-overflow-shorthand > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-page-break > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-place > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-pseudo-class-any-link > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-replace-overflow-wrap > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-selector-matches > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > postcss-preset-env >
                 postcss-selector-not > postcss

 More info       https://npmjs.com/advisories/1693


 Moderate        Regular Expression Denial of Service

 Package         postcss

 Patched in      >=8.2.10

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > resolve-url-loader > postcss

 More info       https://npmjs.com/advisories/1693


 High            Memory Exposure

 Package         dns-packet

 Patched in      >=5.2.2

 Dependency of   @angular-devkit/build-angular [dev]

 Path            @angular-devkit/build-angular > webpack-dev-server > bonjour
                 > multicast-dns > dns-packet

 More info       https://npmjs.com/advisories/1745

found 36 vulnerabilities (35 moderate, 1 high) in 2069 scanned packages
 36 vulnerabilities require manual review. See the full report for details.

Environment

NX Report:


Node : 14.17.0
  OS   : win32 x64
  npm  : 6.14.13

  nx : Not Found
  @nrwl/angular : 12.3.4
  @nrwl/cli : 12.3.4
  @nrwl/cypress : 12.3.4
  @nrwl/devkit : 12.3.4
  @nrwl/eslint-plugin-nx : 12.3.4
  @nrwl/express : Not Found
  @nrwl/jest : 12.3.4
  @nrwl/linter : 12.3.4
  @nrwl/nest : Not Found
  @nrwl/next : Not Found
  @nrwl/node : Not Found
  @nrwl/react : Not Found
  @nrwl/schematics : Not Found
  @nrwl/tao : 12.3.4
  @nrwl/web : Not Found
  @nrwl/workspace : 12.3.4
  @nrwl/storybook : Not Found
  @nrwl/gatsby : Not Found
  typescript : 4.2.4
@mandarini mandarini mentioned this issue May 26, 2021
Closed
@vsavkin vsavkin added the scope: angular Issues related to Angular support in Nx label May 27, 2021
@vsavkin
Copy link
Member

vsavkin commented May 27, 2021

Thank you for submitting the issue.

@leosvelperez @Coly010 We need to update the version of buiild-angular and I think it will be fixed.

@vsavkin vsavkin closed this as completed May 27, 2021
@vsavkin vsavkin reopened this May 27, 2021
@WCN-llc
Copy link
Author

WCN-llc commented May 27, 2021

Thank you!
While one error (1 high) disappeared, the rest (35 moderate) remained.
I will wait.

@Splaktar
Copy link

Splaktar commented May 30, 2021
edited

The root issue of the Moderate warnings is here: angular/angular-cli#20795. It's currently blocked on csstools/postcss-preset-env#191.

The High warning is fixed in @angular-devkit/build-angular@12.0.2.

@leosvelperez leosvelperez self-assigned this Jun 1, 2021
@leosvelperez leosvelperez mentioned this issue Jun 1, 2021
Merged
@leosvelperez
Copy link
Member

I changed the dependencies for new workspaces to get the latest minor versions of the Angular packages when creating the workspace. That fixes the High vulnerability since, by default, it will install at least version 12.0.2 of the @angular-devkit/build-angular (the latest at the time of writing) which solves that one as mentioned by @Splaktar.

There's nothing we can do with the Moderate vulnerabilities. They will be solved when the issues mentioned in this comment #5792 (comment) get resolved. When that happens, devs will need to make sure to install the appropriate version of the @angular-devkit/build-angular package.

@leosvelperez
Copy link
Member

I'll close this one as is not actionable for us.

The remaining vulnerabilities come from the @angular-devkit/build-angular package. Please follow the issues shared on this comment #5792 (comment) for an update on the resolution. Thanks @Splaktar for sharing those issues!

@github-actions
Copy link

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leosvelperez leosvelperez

Labels
outdated scope: angular Issues related to Angular support in Nx type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vsavkin @Splaktar @leosvelperez @WCN-llc