Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm audit async

See original GitHub issue

installed version “@angular-eslint/builder”: “13.2.0”,

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @angular-eslint/builder@12.2.1, which is a breaking change
node_modules/async
node_modules/portfinder/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @nrwl/devkit  *
      Depends on vulnerable versions of ejs
      node_modules/@nrwl/devkit
        @angular-eslint/builder  >=12.2.2-alpha.0
        Depends on vulnerable versions of @nrwl/devkit
        node_modules/@angular-eslint/builder
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular

Issue Analytics

State:
Created a year ago
Reactions:19
Comments:11 (2 by maintainers)

Top GitHub Comments

5reactions

PeterHewatcommented, Apr 19, 2022

We need to distinguish what’s going on here.

The OP is reporting angular-eslint v12, which is not the current major version of this project.

Hi @JamesHenry , No, OP is not reporting angular-eslint v12. @dertuerke has installed v13 and it is the audit fix that suggests to downgrade a major version to “fix” this issue. And as @trazeris mentioned, it all boils down to a vulnerability in a dependency of a dependency: @angular-eslint/builder @13.2.1 => @nrwl/devkit @13.1.3 => ejs@3.1.6 => jake@10.8.4 => async@0.9.2

All versions of async have a Prototype Pollution high vulnerability that has been fixed in 3.2.2

It is up to jake to update their dependency on async cf. #406 #408

5reactions

JamesHenrycommented, Apr 14, 2022

We need to distinguish what’s going on here.

The OP is reporting angular-eslint v12, which is not the current major version of this project.

The vulnerability related to async is present in brand new Angular CLI workspaces without any involvement from angular-eslint at all, because as seen on these reports it is originating from @angular-devkit/build-webpack:

Please kindly report this to the Angular CLI folks. I will leave this open for now for visibility

Top Results From Across the Web

npm-audit

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of...

Fixing security vulnerabilities in npm dependencies in less ...

2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...

Compilation error due to a vulnerabilities in angular-devkit ...

There is a new 2.6.4 release of the "async" library (in the last 24 ... here: https://github.com/caolan/async/pull/1828), but npm audit ...

npm-audit-html - npm Package Health Analysis - Snyk

Learn more about npm-audit-html: package health score, popularity, security, maintenance, ... This package uses async/await and requires Node.js 7.6 ...

async | Yarn - Package Manager

Although originally designed for use with Node.js and installable via npm i async , it can also be used directly in the browser....