briebug / jest-schematic

Angular schematic for adding Jest and the required files to an Angular CLI project
MIT License
322 stars 38 forks source link

Introduces moderate security risk through ajv #121

Open onkobu opened 2 years ago

onkobu commented 2 years ago

Describe the bug When adding jest-schematic >2.1.1 npm audit reports a moderate security risk.

To Reproduce Steps to reproduce the behavior:

  1. Init an empty Angular project, e.g. ng new jest-schematic-repro
  2. cd into the project dir
  3. ng add @briebug/jest-schematic according to README
  4. npm audit afterwards
ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install @briebug/jest-schematic@2.1.1, which is a breaking change
node_modules/@schuchard/schematics-core/node_modules/ajv
  @angular-devkit/core  0.0.24 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
  Depends on vulnerable versions of ajv
  node_modules/@schuchard/schematics-core/node_modules/@angular-devkit/core
    @angular-devkit/schematics  0.0.43 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
    Depends on vulnerable versions of @angular-devkit/core
    node_modules/@schuchard/schematics-core/node_modules/@angular-devkit/schematics
    @schematics/angular  0.1.12 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
    Depends on vulnerable versions of @angular-devkit/core
    Depends on vulnerable versions of @angular-devkit/schematics
    node_modules/@schuchard/schematics-core/node_modules/@schematics/angular
      @schuchard/schematics-core  *
      Depends on vulnerable versions of @angular-devkit/core
      Depends on vulnerable versions of @angular-devkit/schematics
      Depends on vulnerable versions of @schematics/angular
      node_modules/@schuchard/schematics-core
        @briebug/jest-schematic  >=2.2.0
        Depends on vulnerable versions of @schuchard/schematics-core
        node_modules/@briebug/jest-schematic

6 moderate severity vulnerabilities

Recommends npm audit fix --force which is hard to plan ahead with a medium sized dependency tree containing other less severe security risks.

Expected behavior Adding jest-schematic does not worsen security.

Workaround Pin version to 2.1.1, e.g. explicitely do not install latest ng add @briebug/jest-schematic@2.1.1. Or don't use this package. Instead follow the Jest setup guide on the official page https://jestjs.io.