Denial of Service (DoS) vulnerability introduced by a nested dependency (WS) of @nx/angular

R-Lek commented 1 month ago

Current Behavior

Apologies beforehand if this matter has already been resolved, but I've looked far and wide and failed to find it if it has.

WS, a nested dependency of @nx/angular, introduced a DoS vulnerability in version ws@8.17.0: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

We first encountered this when we updated our application a few months ago to @nx/angular@19.0.1 and received a Snyk warning: https://security.snyk.io/vuln/SNYK-JS-WS-7266574
The nested dependency tree turned out to be the following: @nx/angular@19.0.1 › @nx/webpack@19.0.1 › webpack-dev-server@4.15.1 › ws@8.17.0

It appears that 2 weeks ago webpack-dev-server resolved the issue in their latest version 5.0.4: https://github.com/webpack/webpack-dev-server/pull/5241 package.json v5.0.4

However, as far as I can tell the latest version of @nx/angular (19.5.6) does not make use of this version yet in the above mentioned nested dependency tree.

Expected Behavior

No DoS vulnerability issues raised by nested dependency of @nx/angular

Suggestion

Make use of WS version @8.17.1 (or higher) in nested dependencies, since the vulnerability issue was resolved by that version

GitHub Repo

No response

Steps to Reproduce

Have @nx/angular as a dependency in your project
Make use of Snyk to be informed about the vulnerability

Nx Report

Node   : 20.12.2
OS     : darwin-arm64
npm    : 10.5.0

nx                 : 19.3.0
@nx/js             : 19.3.0
@nx/jest           : 19.3.0
@nx/linter         : 19.3.0
@nx/eslint         : 19.3.0
@nx/workspace      : 19.3.0
@nx/angular        : 19.3.0
@nx/cypress        : 19.3.0
@nx/devkit         : 19.3.0
@nx/esbuild        : 19.3.0
@nx/eslint-plugin  : 19.3.0
@nx/node           : 19.3.0
@nx/plugin         : 19.3.0
@nx/storybook      : 19.3.0
@nrwl/tao          : 19.3.0
@nx/web            : 19.3.0
@nx/webpack        : 19.3.0
typescript         : 5.4.5
---------------------------------------
Registered Plugins:
@nx/eslint/plugin
---------------------------------------
Community plugins:
@compodoc/compodoc   : 1.1.24
@ngrx/effects        : 17.2.0
@ngrx/entity         : 17.2.0
@ngrx/router-store   : 17.2.0
@ngrx/schematics     : 17.2.0
@ngrx/signals        : 17.2.0
@ngrx/store          : 17.2.0
@ngrx/store-devtools : 17.2.0
@storybook/angular   : 8.1.7
ng-mocks             : 14.13.0
ngx-toastr           : 18.0.0
---------------------------------------
Local workspace plugins:
     @fl/tools

Failure Logs

No response

Package Manager Version

No response

Operating System

[X] macOS
[ ] Linux
[ ] Windows
[ ] Other (Please specify)

Additional Information

No response

R-Lek commented 1 month ago

Thx!

github-actions[bot] commented 6 days ago

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

nrwl / nx