Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

loader-utils is vulnerable. Will install @angular-devkit/build-angular@12.2.18

See original GitHub issue

Which @angular/* package(s) are the source of the bug?

Don’t known / other

Is this a regression?

Description

npm audit

npm audit report

loader-utils 3.0.0 - 3.2.0 Severity: high loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488 loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g fix available via npm audit fix --force Will install @angular-devkit/build-angular @12.2.18, which is a breaking change node_modules/loader-utils @angular-devkit/build-angular 13.0.0-next.0 - 15.0.0-rc.3 Depends on vulnerable versions of loader-utils node_modules/@angular-devkit/build-angular

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run `ng version`)

No response

Anything else?

No response

Issue Analytics

State:
Created 10 months ago
Reactions:4
Comments:10

Top GitHub Comments

3reactions

alan-agius4commented, Nov 17, 2022

@pawan-gwebs, it has not been released yet. Likely it will be released later on during the day today…

3reactions

pawan-gwebscommented, Nov 16, 2022

We do not expect that the Angular CLI is used on production where this vulnerability can be exploited. That said, we will update loader-utils in version 13.3 and 14.2 of the Angular CLI.

Please be aware that Angular version 12 is no longer under support. See https://angular.io/guide/releases#actively-supported-versions

We are already on Angular version 14.2.9 and I have this in “devDependencies” { “@angular-devkit/build-angular”: “^14.2.9” } This warning was not in “@angular-devkit/build-angular”: “^14.2.7”. This vulnerability issue is due to “loader-utils” dependency of “@angular-devkit/build-angular”. May be in latest version “loader-utils”.