Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NPM audit of Angular 13 project shows 17 high vulnerabilities

See original GitHub issue

Current Behavior

npm audit is delivering high severity vulns because of async package dependency which have to be updated.

Steps to Reproduce

Install nrwl angular to version: 13.10.1 and run npm audit. Dependecy Tree:

├─┬ @nrwl/angular@13.10.1
│ └─┬ @nrwl/devkit@13.10.1
│   └─┬ ejs@3.1.6
│     └─┬ jake@10.8.4
│       └── async@0.9.2

Failure Logs

$ npm audit
# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @nrwl/eslint-plugin-nx@11.1.5, which is a breaking change
node_modules/jake/node_modules/async
node_modules/portfinder/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @nrwl/devkit  *
      Depends on vulnerable versions of ejs
      node_modules/@nrwl/devkit
        @nrwl/angular  11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/linter
        Depends on vulnerable versions of @nrwl/storybook
        node_modules/@nrwl/angular
        @nrwl/cypress  8.0.0-alpha.1 - 8.0.0-rc.4 || 11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/linter
        Depends on vulnerable versions of @nrwl/workspace
        node_modules/@nrwl/cypress
        @nrwl/eslint-plugin-nx  11.0.0-beta.1 - 11.1.0-beta.4 || >=11.2.0-beta.1
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/workspace
        node_modules/@nrwl/eslint-plugin-nx
        @nrwl/jest  11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        node_modules/@nrwl/jest
          @nrwl/linter  11.2.0-beta.1 - 999.9.9
          Depends on vulnerable versions of @nrwl/devkit
          Depends on vulnerable versions of @nrwl/jest
          node_modules/@nrwl/linter
            @nrwl/storybook  >=11.0.0-beta.1
            Depends on vulnerable versions of @nrwl/devkit
            Depends on vulnerable versions of @nrwl/linter
            Depends on vulnerable versions of @nrwl/workspace
            node_modules/@nrwl/storybook
            @nrwl/workspace  11.0.0-beta.1 - 999.9.9
            Depends on vulnerable versions of @nrwl/devkit
            Depends on vulnerable versions of @nrwl/linter
            node_modules/@nrwl/workspace
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    http-server  >=0.8.0
    Depends on vulnerable versions of portfinder
    node_modules/http-server
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
        jest-preset-angular  9.0.0-next.0 - 9.0.4 || >=11.1.0
        Depends on vulnerable versions of @angular-devkit/build-angular
        node_modules/jest-preset-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

17 high severity vulnerabilities

Environment

nx report

NX Report complete - copy this into the issue template

Node : 16.13.2 OS : win32 x64 npm : 8.6.0

nx : 13.10.1 @nrwl/angular : 13.10.1 @nrwl/cypress : 13.10.1 @nrwl/detox : Not Found @nrwl/devkit : 13.10.1 @nrwl/eslint-plugin-nx : 13.10.1 @nrwl/express : Not Found @nrwl/jest : 13.10.1 @nrwl/js : Not Found @nrwl/linter : 13.10.1 @nrwl/nest : Not Found @nrwl/next : Not Found @nrwl/node : Not Found @nrwl/nx-cloud : Not Found @nrwl/nx-plugin : Not Found @nrwl/react : Not Found @nrwl/react-native : Not Found @nrwl/schematics : Not Found @nrwl/storybook : 13.10.1 @nrwl/web : Not Found @nrwl/workspace : 13.10.1 typescript : 4.6.3 rxjs : 7.5.5

Community plugins: @fortawesome/angular-fontawesome: 0.10.2 @ngrx/component-store: 13.0.1 @ngrx/effects: 13.0.1 @ngrx/entity: 13.0.1 @ngrx/router-store: 13.0.1 @ngrx/store: 13.0.1 @ngrx/store-devtools: 13.0.1 @compodoc/compodoc: 1.1.19 @testing-library/angular: 11.0.4

Issue Analytics

State:
Created a year ago
Comments:6

Top GitHub Comments

7reactions

fbarthocommented, Apr 18, 2022

I’m running into this issue as well:

@nrwl/eslint-plugin-nx@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/express@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/jest@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/linter@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/node@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/workspace@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2

It looks like jake has already landed fixes for this into their repository.
It looks like async has already landed fixes for this in 3.2.2: https://github.com/caolan/async/blob/master/CHANGELOG.md#v322

It’s concerning that different @nrwl packages depend on vastly different versions of async. I think we’re lucky that this didn’t cause problems sooner.

7reactions

Cono52commented, Apr 20, 2022

NPM audit is not very sophisticated in what it thinks is an actual vulnerability i.e. code running on a users device/a live servers vs just running locally or building in CI pipelines.

This blog post articulates some points on NPM audit quite well: https://overreacted.io/npm-audit-broken-by-design/

EDIT: Not saying to disregard the output completely.

Top Results From Across the Web

How to resolve npm audit vulnerabilities? Angular fresh project

Run npm audit --production instead. Running npm audit will show both the dependancies and devDependancies vulnerabilities.

How to Fix Security Vulnerabilities with NPM - IFS Blog

Get a detailed report of the security vulnerabilities with npm audit. It will show in which package you have the issue, severity, ...

Auditing package dependencies for security vulnerabilities

A security audit is an assessment of package dependencies for security vulnerabilities. ... The npm audit command submits a description of the dependencies ......

How to Fix Your Security Vulnerabilities with NPM Overrides

Then those dreadful messages appear, gazillion vulnerabilities, a zillion of them high. You run npm “audit fix”,and it fixes some of the dependencies....

Don't be alarmed by vulnerabilities after running NPM Install

The NPM registry runs a security audit on NPM packages. With the release of NPM v6, this command is run automatically when you...