Describe the bug
When adding jest-schematic >2.1.1 npm audit reports a moderate security risk.
To Reproduce
Steps to reproduce the behavior:
Init an empty Angular project, e.g. ng new jest-schematic-repro
cd into the project dir
ng add @briebug/jest-schematic according to README
npm audit afterwards
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install @briebug/jest-schematic@2.1.1, which is a breaking change
node_modules/@schuchard/schematics-core/node_modules/ajv
@angular-devkit/core 0.0.24 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
Depends on vulnerable versions of ajv
node_modules/@schuchard/schematics-core/node_modules/@angular-devkit/core
@angular-devkit/schematics 0.0.43 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
Depends on vulnerable versions of @angular-devkit/core
node_modules/@schuchard/schematics-core/node_modules/@angular-devkit/schematics
@schematics/angular 0.1.12 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
Depends on vulnerable versions of @angular-devkit/core
Depends on vulnerable versions of @angular-devkit/schematics
node_modules/@schuchard/schematics-core/node_modules/@schematics/angular
@schuchard/schematics-core *
Depends on vulnerable versions of @angular-devkit/core
Depends on vulnerable versions of @angular-devkit/schematics
Depends on vulnerable versions of @schematics/angular
node_modules/@schuchard/schematics-core
@briebug/jest-schematic >=2.2.0
Depends on vulnerable versions of @schuchard/schematics-core
node_modules/@briebug/jest-schematic
6 moderate severity vulnerabilities
Recommends npm audit fix --force which is hard to plan ahead with a medium sized dependency tree containing other less severe security risks.
Expected behavior
Adding jest-schematic does not worsen security.
Workaround
Pin version to 2.1.1, e.g. explicitely do not install latest ng add @briebug/jest-schematic@2.1.1. Or don't use this package. Instead follow the Jest setup guide on the official page https://jestjs.io.
Describe the bug When adding jest-schematic >2.1.1 npm audit reports a moderate security risk.
To Reproduce Steps to reproduce the behavior:
ng add @briebug/jest-schematic
according to READMEnpm audit
afterwardsRecommends
npm audit fix --force
which is hard to plan ahead with a medium sized dependency tree containing other less severe security risks.Expected behavior Adding jest-schematic does not worsen security.
Workaround Pin version to 2.1.1, e.g. explicitely do not install latest
ng add @briebug/jest-schematic@2.1.1
. Or don't use this package. Instead follow the Jest setup guide on the official page https://jestjs.io.