npm audit async
See original GitHub issueinstalled version “@angular-eslint/builder”: “13.2.0”,
# npm audit report
async <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @angular-eslint/builder@12.2.1, which is a breaking change
node_modules/async
node_modules/portfinder/node_modules/async
jake >=8.0.1
Depends on vulnerable versions of async
node_modules/jake
ejs >=3.1.2
Depends on vulnerable versions of jake
node_modules/ejs
@nrwl/devkit *
Depends on vulnerable versions of ejs
node_modules/@nrwl/devkit
@angular-eslint/builder >=12.2.2-alpha.0
Depends on vulnerable versions of @nrwl/devkit
node_modules/@angular-eslint/builder
portfinder 0.1.0 || >=0.4.0
Depends on vulnerable versions of async
node_modules/portfinder
webpack-dev-server >=2.0.0-beta
Depends on vulnerable versions of portfinder
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
Issue Analytics
- State:
- Created a year ago
- Reactions:19
- Comments:11 (2 by maintainers)
Top Results From Across the Web
npm-audit
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >Compilation error due to a vulnerabilities in angular-devkit ...
There is a new 2.6.4 release of the "async" library (in the last 24 ... here: https://github.com/caolan/async/pull/1828), but npm audit ...
Read more >npm-audit-html - npm Package Health Analysis - Snyk
Learn more about npm-audit-html: package health score, popularity, security, maintenance, ... This package uses async/await and requires Node.js 7.6 ...
Read more >async | Yarn - Package Manager
Although originally designed for use with Node.js and installable via npm i async , it can also be used directly in the browser....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi @JamesHenry , No, OP is not reporting
angular-eslint
v12. @dertuerke has installed v13 and it is the audit fix that suggests to downgrade a major version to “fix” this issue. And as @trazeris mentioned, it all boils down to a vulnerability in a dependency of a dependency: @angular-eslint/builder@13.2.1 => @nrwl/devkit@13.1.3 => ejs@3.1.6 => jake@10.8.4 => async@0.9.2All versions of async have a Prototype Pollution high vulnerability that has been fixed in 3.2.2
It is up to jake to update their dependency on async cf. #406 #408
We need to distinguish what’s going on here.
The OP is reporting
angular-eslint
v12, which is not the current major version of this project.The vulnerability related to
async
is present in brand new Angular CLI workspaces without any involvement fromangular-eslint
at all, because as seen on these reports it is originating from@angular-devkit/build-webpack
:Please kindly report this to the Angular CLI folks. I will leave this open for now for visibility