Dependencies on vulnerable versions of libraries

[atuzovic]

Command

other

Is this a regression?

• [x] Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

12

Description

When "npm audit" is done for project that has @angular-devkit/build-angular 16.2.0 as devDependency, following report is generated:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1002.1, which is a breaking change
node_modules/request
  webdriver-manager  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of xml2js
  node_modules/webdriver-manager
    protractor  >=1.3.0
    Depends on vulnerable versions of selenium-webdriver
    Depends on vulnerable versions of webdriver-js-extender
    Depends on vulnerable versions of webdriver-manager
    node_modules/protractor
      @angular-devkit/build-angular  >=0.1100.0-next.0
      Depends on vulnerable versions of protractor
      node_modules/@angular-devkit/build-angular

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1002.1, which is a breaking change
node_modules/tough-cookie

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1002.1, which is a breaking change
node_modules/xml2js
  selenium-webdriver  2.43.1 - 4.0.0-rc-2
  Depends on vulnerable versions of xml2js
  node_modules/selenium-webdriver
    webdriver-js-extender  *
    Depends on vulnerable versions of selenium-webdriver
    node_modules/webdriver-js-extender

8 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

It's important to note that this is happening on only few of the projects, not all. What is confusing is that all projects have (or at least seems to have) same contents for angular.json and package.json.

Minimal Reproduction

npm audit

package.json contents:

{ "name": "app", "version": "0.0.0", "scripts": { "ng": "ng", "start": "echo . && ng serve --verbose", "build": "ng build", "test": "ng test" }, "private": true, "dependencies": { "@ag-grid-community/angular": "30.1.0", "@ag-grid-community/client-side-row-model": "30.1.0", "@ag-grid-community/core": "30.1.0", "@ag-grid-community/styles": "^30.1.0", "@angular/animations": "~16.2.2", "@angular/cdk": "^16.2.1", "@angular/common": "~16.2.2", "@angular/compiler": "~16.2.2", "@angular/core": "~16.2.2", "@angular/forms": "~16.2.2", "@angular/google-maps": "^16.2.1", "@angular/localize": "^16.2.2", "@angular/material": "^16.2.1", "@angular/platform-browser": "~16.2.2", "@angular/platform-browser-dynamic": "~16.2.2", "@angular/router": "~16.2.2", "@fortawesome/angular-fontawesome": "^0.13.0", "@fortawesome/fontawesome-svg-core": "^6.4.2", "@fortawesome/free-brands-svg-icons": "^6.4.2", "@fortawesome/pro-duotone-svg-icons": "^6.4.2", "@fortawesome/pro-light-svg-icons": "^6.4.2", "@fortawesome/pro-regular-svg-icons": "^6.4.2", "@fortawesome/pro-solid-svg-icons": "^6.4.2", "@fortawesome/pro-thin-svg-icons": "^6.4.2", "@ng-select/ng-select": "^11.1.1", "@ngbracket/ngx-layout": "^16.0.0", "@ngx-translate/core": "^15.0.0", "@tinymce/tinymce-angular": "^7.0.0", "ace-builds": "^1.24.1", "chart.js": "^4.4.0", "chartjs-adapter-dayjs-4": "^1.2.3", "cropperjs": "1.6.0", "d3-scale-chromatic": "^3.0.0", "dayjs": "^1.11.9", "lodash-es": "^4.17.21", "material-design-icons": "^3.0.1", "ng2-date-picker": "^16.0.0", "ng2-file-upload": "^5.0.0", "ngx-ace-wrapper": "^14.0.0", "ngx-color-picker": "^14.0.0", "ngx-json-viewer": "^3.2.1", "prismjs": "^1.29.0", "rxjs": "~7.8.1", "tinymce": "^6.6.2", "tslib": "^2.6.2", "zone.js": "~0.13.1" }, "devDependencies": { "@angular-devkit/build-angular": "^16.2.0", "@angular/cli": "^16.2.0", "@angular/compiler-cli": "^16.2.2", "@angular/language-service": "^16.2.2", "@types/d3": "^7.4.0", "@types/jasmine": "~4.3.5", "@types/lodash-es": "^4.17.8", "jasmine-core": "~5.1.1", "karma": "~6.4.2", "karma-chrome-launcher": "~3.2.0", "karma-coverage": "~2.2.1", "karma-jasmine": "~5.1.0", "karma-jasmine-html-reporter": "^2.1.0", "typescript": "~5.1.6" } }

Exception or Error

No response

Your Environment

Angular CLI: 16.2.0
Node: 18.17.1
Package Manager: npm 9.8.1
OS: win32 x64

Angular:
...

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.1602.0 (cli-only)
@angular-devkit/core         16.2.0 (cli-only)
@angular-devkit/schematics   16.2.0 (cli-only)
@schematics/angular          16.2.0 (cli-only)

Anything else relevant?

No response

[JeanMeche]

Can you run npm ls @angular-devkit/build-angular. Something seems to pull an old version.

[atuzovic]

@JeanMeche Sure, I did, and this is the output I got:

-- @angular-devkit/build-angular@16.2.0

[alan-agius4]

Hi @arturovt, none of the above mentioned dependencies are direct dependencies of the Angular CLI or it's packages. Therefore this is not actionable from our end.

You can use npm ls <package-name> to identify who is installing the dependency, it is also worth mentioning that it's important that periodically the package-lock file is maintained or freshly generated to keep it in sync. For instance in this case it might solve some or all of the above mentioned issues.

The audit report mentions @angular-devkit/build-angular, because if you choose to run npm audit fix --force an incompatible version will be installed which is likely due to incompatible peer dependencies.

[atuzovic]

@alan-agius4 You actually did provide resolution for this. We have previously removed node_modules and that did not help. However, after deleting package-lock.json and reinstalling packages, there are no more vulnerabilities present. Thank you!

[angular-automatic-lock-bot[bot]]

This issue has been automatically locked due to inactivity. Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}