We are facing vulnerability issue with angular 12.24 when scanned with black duck tool.
Below are the packages with issues.
PostCss - 7.0.36. Recommended -8.3.6
url-parse - 1.5.1 Recommended -1.5.3
glob-parent - 3.1.0 Recommended -6.0.1
einaros/ws - 6.2.2 Recommended -8.0.0
How can I update these versions as these are dependent packages of core packages installed.
Tried solutions
npm audit fix - Not working
Updated to latest angular version - Not working.
Updated package-lock.json - Getting overwritten on npm i.
Thanks in advance.
Related
I am getting the following error while installing the multer package using npm.
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
node_modules/multer
3 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
you can update multer to 1.4.5 as the latest version with npm i multer#latest that uses
busboy#1.0.0
without any vulnerabilities.
This is due to vulnerability in dicer dependency. Multer will still work, right now no fix is available. Maybe it will be resolved in next update. Check this GitHub reviewed vulnerability
I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.
This is a duplicate of my post on the same issue, on GitHub
After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment on GitHub.
Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2).
BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.
So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2) and that's it (did NOT run npm audit fix).
I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!
Below are the vulnerabilities that I get:
-You can see that all vulnerabilities depend on node-fetch <=2.6.6 When I look upon how to fix it on GitHub it says that versions lower than 2.6.1 need to be updated. Yet my version is 2.6.6 and I'm still getting a vulnerability message. Are there any possible ways of fixing this? Another issue is that I can't seem to find it in package-lock.json folder either and I'm unable to update/change it manually. I've tried uninstalling the entire package-lock.json and reinstalling it, and I'm still stuck with this vulnerability message. Thanks to anyone who can help!
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
No fix available
node_modules/isomorphic-fetch/node_modules/node-fetch
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of fbemitter
node_modules/expo
Depends on vulnerable versions of fbemitter
node_modules/expo-updates```
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github. https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json#L57
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
I dont get, what all are the constraint for this. (I dont see any package-lock.json for this package, which could be a potential reason for the vuln). older version has reported vulnerability CVE-2021-23364.
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github
This is because that package.json file resides in the default branch which usually contains the latest or development code. At the time you posted the question, that change was not published to the npm registry.
react-dev-utils#11.0.4 has browserslist#4.14.2 listed in its package so that's the version that will be installed. Reference: https://cdn.jsdelivr.net/npm/react-dev-utils#11.0.4/package.json
You need atleast react-dev-utils#12.0.0 to fix that vulnerability. See the versions tab.
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
Running that command will install the latest version of react-dev-utils, which now has no vulnerability. So it will fix your issue.
I dont see any package-lock.json for this package, which could be a potential reason for the vuln
package-lock.json cannot be published to registry, only the top level lock file is respected. Reference: Should package-lock.json also be published?
this may be an example package, but how in general we update to latest package? have tried npm update as well.
npm update respects the semver range that you've set in your package.json. If its like "react-dev-utils": "11.0.4" that command won't do anything. If its "react-dev-utils": "^11.0.4", it will try to update to the latest 11.x.x version which you are already on, so again it won't do anything. Reference: npm update does not do anything
In general if you want to upgrade every direct dependency to latest version you can use npm-check-updates before running npm update. Refer https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version for detailed guide. Related: How to update each dependency in package.json to the latest version?
Now, if it is not a direct dependency, as was in your case, you can force resolutions. This is natively supported in Yarn and NPM v8.3.0 and above. In older NPM versions you need to use a dependency like npm-force-resolutions. Related thread: npm equivalent of yarn resolutions?
There are much more related threads that you can easily find by searching on the web.
While deploying NODE code getting package vulnerability issue for lodash.
I have updated lodash package version to latest version 4.17.21 but, still showing vulnerability issue .
Below is the error.
lodash 4.17.19 High Fixed IN 4.17.21
I have the latest versions of Node and NPM installed, using which I installed Angular/cli, but it's shooting me with following errors: angular/cli and npm versions not compatible with current version of node.
I suspect that I may(not) be installing out of the proper directory. But at this point, what else can I do? thanks.
Please check: Screenshot with details of the issue
I also faced a similar problem, but the solution was quite simple : my path was too long.
I shortened it a bit (two directories down) and then I did the install again with success.
Here are the reqs.
Both the CLI and generated project have dependencies that require Node 6.9.0 or higher, together with NPM 3 or higher.
You are using the latest node.js 9.2
you need to uninstall or rollback to 8.9 !!
Here is a guide
https://github.com/angular/angular-cli
Hope this solves it for you.
I faced a similar problem with angular/cli version not compatible with the current node version. This generally happens when you are upgrading from lower version of Angular to any other higher version.
You can try following steps:
npm outdated --> To list latest and current package details in local application.
npm update --> to update the local packages.
If it still doesn`t work,
Try deleting the 'node_modules' folder and install dependencies of fresh:
npm install
You can then check whether all packages, including the cli is not outdated.