I need some help understanding and properly correcting the vulnerabilities I see when I run an npm audit (or just npm install) on my Angular project. I just updated from Angular v12 to v13 and there were several vulnerabilities listed. Note, I already ran an 'npm install' and an 'npm update' but still get these audit warnings. The problem is, I don't understand which vulnerabilities I can fix by updating a package, without causing issues with Angular. I started investigating this and noticed that my angular dependencies don't even list the older version being called out by the npm audit, so apparently I don't even understand that.
Further below are 6 examples of audit warnings from over 20 that appear for the postcss package when I run 'npm audit' in my workspace. However, in my package-lock.json file, "#angular-devkit/build-angular" has a "requires" list that includes:
"postcss": "8.4.4",
"postcss-import": "14.0.2",
"postcss-loader": "6.2.1",
"postcss-preset-env": "6.7.0",
I have so many questions... first off, postcss is listed as 8.4.4 so I don't understand why I would have a version previous to 8.2.13 installed, per the audit warning. But, the audit warning says "Path #angular-devkit/build-angular > postcss-preset-env > autoprefixer > postcss"... so does this mean that postcss-preset-env is a different package that's using an older version of the postcss package as it's own dependency? More importantly, does this indicate that the older version (6.7.0 in this case) is required and if I update this or run the audit fix, that I'm not fulfilling the dependency here? After all, there's no caret (^6.7.0) so it seems to be indicating a specific version. I just can't tell what I can or should do here. I resolved other 'high' vulnerabilities that were not related to angular, but what do I do about these ones? Can I fix them without breaking my app? What command would actually update postcss-preset-env? Should I just ignore these as warnings the Angular team has already reviewed and gone ahead with, in their release?
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
autoprefixer > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-blank-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-has-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-prefers-color-scheme > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
postcss-attribute-case-insensitive > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Related
I have been getting vulnerabilities in internal dependency glob-parent package of npm package - gulp.
High glob-parent before 5.1.2 vulnerable to Regular Expression
Denial of Service in enclosure regex
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
I have gone through other questions as well regarding the same topic but I am unsure that those ways will keep the application working as it is now as I have seen different versions of glob-parent in package-lock.json.
Those suggested to use overrides property in package.json for glob-parent or add glob-parent to resolutions section.
Also, it has been found that this is a false positive vulnerability which is only reported in case of NPM not Yarn.
Due to some reasons, I will have to use NPM only.
Please suggest a way to get rid of these vulnerabilities where it should not affect the application.
In my package.json I have listed gulp as one of my dependencies.
{
"name": "myproject",
"devDependencies": {
"gulp": "^4.0.2"
// other stuff
}
}
When I run npm i I get a message there are moderate security vulnerabilities. So I do npm audit and I get this
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob-parent
More info https://npmjs.com/advisories/1751
found 2 moderate severity vulnerabilities in 751 scanned packages
2 vulnerabilities require manual review. See the full report for details.
So then I thought it was all a matter of changing the version of gulp to the highest version where it is (probably) patched. But it seems that this is already the highest version, so what do I do about the vulnerability?
If anyone is curious how I actually "solved" this issue, I started using yarn for all my projects. To me it seems superior to npm.
The following commands will take care of you:
Install yarn
Remove npm's "package-lock" to not mix project package managers
Run yarn
Enjoy
Commands:
npm i --global yarn
rm -rf package-lock.json
yarn
I am developing a web application with Angular but I have a problem installing json server. Please help me correct this problem.
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts#1.1.5, which is a breaking change
node_modules/react-scripts/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/react-scripts/node_modules/webpack-dev-server/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/react-scripts/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/react-scripts/node_modules/webpack-dev-server
node_modules/webpack-dev-server
#angular-devkit/build-angular *
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
#pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/#pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
12 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
enter image description here
enter image description here
It's just a warning to let you know that there is some known vulnerabilities on the packages you using in your project.
vulnerabilities can be missbehavior, bugs, crashes, security vulnerabilities, etc...
npm keep tracks of known vulnerabilities of all the npm packages.
So basiacally you have to wait updates on your package to fix the vulnerability, you can also try to use a different version of the package, or use a different package.
Duplicate of : how to solve this npm glob-parent problem
Answer: ​https://stackoverflow.com/a/68342168/158649
As it is a dev dependency, not a big deal,
npm update glob-parent#5.1.2 --depth 4
has no effect on the npm audit message.
npm audit warnings can be a little bit boy-crying-wolf sometimes.
npm install glob-parent#5.1.2 --save-dev
does remove the warning but not really much to worry about.
Suddenly i got around 79 moderate vulnerabilities related to postcss package.
One of them is :
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of react-scripts
Path react-scripts > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
I tired running npm audit fix but these require manual review.
Does anyone know how to fix these?
You could wait for react-scripts to update their dependencies or as an alternative use "resolutions" in your package.json to overrule the version:
"resolutions": {
"postcss": "^8.2.10"
}
I am a beginner to NodeJS and during the installation of packages I encountered some vulnerabilities error. I have encountered a few errors previously as well. And which were fixed by simply updating the packages. Also, 'npm audit fix' didn't help. Following is the result of 'npm audit'. Can anyone tell me, how can I update these dependencies manually?
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > #ngtools/webpack > tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > tree-kill
More info https://npmjs.com/advisories/1432
found 2 high severity vulnerabilities in 16547 scanned packages
2 vulnerabilities require manual review. See the full report for details.
Also, can I update the 'tree-kill' package under the path '#angular-devkit/build-angular > #ngtools/webpack > tree-kill' and '#angular-devkit/build-angular > tree-kill' manually? If Yes, then how do I do it?
npm version - 6.12.1
node version - 12.13.1
Thank You for helping!