Npm audit fails for `@nrwl/builders`: `7.8.7` - `node-sass Denial of Service` and `serialize-javascript Cross-Site Scripting`

[calarconpieriz]

Expected Behavior

Running the npm audit command should pass without vulnerabilities for version 7.8.7 using Angular 7 and Ngrx 7.

Current Behavior

npm audit
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nrwl/builders [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nrwl/builders > @angular-devkit/build-angular > node-sass   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/961                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nrwl/builders [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nrwl/builders > @angular-devkit/build-angular >             │
│               │ copy-webpack-plugin > serialize-javascript                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1426                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nrwl/builders [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nrwl/builders > copy-webpack-plugin > serialize-javascript  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1426                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 moderate) in 980348 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Failure Information (for bugs)

When you are running an Angular <= 7 application with Ngrx 7 and @nrwl/builders 7.8.7, the npm audit command shows some vulnerabilities. In order to fix them, it is necessary to update @nrwl/builders and @nrwl/schematics to a major version that forces you to update the Angular version and Ngrx as well that contains breaking changes (specifically Ngrx) and it is a problem in a big application.

Context

    "@angular/animations": "^7.2.6",
    "@angular/cdk": "^7.3.3",
    "@angular/common": "^7.2.6",
    "@angular/compiler": "^7.2.6",
    "@angular/core": "^7.2.6",
    "@angular/forms": "^7.2.6",
    "@angular/http": "^7.2.6",
    "@angular/material": "^7.3.3",
    "@angular/material-moment-adapter": "^7.3.3",
    "@angular/platform-browser": "^7.2.6",
    "@angular/platform-browser-dynamic": "^7.2.6",
    "@angular/platform-server": "^7.2.6",
    "@angular/router": "^7.2.6",
    "@auth0/angular-jwt": "^2.0.0",
    "@ngrx/effects": "^7.0.0-beta.0",
    "@ngrx/store": "^7.0.0-beta.0",
    "@ngrx/store-devtools": "^7.0.0-beta.0",
    "@angular-builders/jest": "^7.4.2",
    "@angular-devkit/build-angular": "^0.803.24",
    "@angular/cli": "^7.3.2",
    "@angular/compiler-cli": "^7.2.6",
    "@angular/language-service": "^7.2.6",
    "@nrwl/builders": "^7.8.7",
    "@nrwl/schematics": "^7.8.7",

Other

The solution would be to update serialize-javascript to >=2.1.1 and node-sass to >=4.13.1 for version 7.8.7 (patch 7.8.8 for instance).

I also know that a workaround for this would be to use the npm force resolutions, but that would not be the best approach.

[vsavkin]

@calarconpieriz Thank you for submitting the issue. Unfortunately, we cannot make every version pass the audit checks because third-party deps (e.g., build-angular) are outside of out control. They also have ~ and ^ in their package.json which means that even if the version passed the check once, it may not pass it again.

We are, however, making sure that npm audit passes every time we release a new version. For instance, both Nx 8.12.7 and 9.0.2 pass the check. In your case, the easiest thing might be to update the version of serialize-javascript in your package.json using resolutions (see here: https://github.com/nrwl/nx/issues/2458)

I'm going to close this issue.

[calarconpieriz]

@vsavkin thank you. I was able to solve it with the resolutions workaround.

[github-actions[bot]]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.