Nx workspaces have a moderate vulnerability (Prototype Pollution by hoek)

[FrozenPandaz]

Preface

We cannot address this directly within Nx. We believe this vulnerability is important to address but do not think the risk is high.

This issue is to provide a detailed report of my findings about the vulnerability as well as to track progress of its resolution.

Current Behavior

Nx workspaces and Angular CLI workspaces in general have a Moderate vulnerability as reported by npm audit. Because Nx is an extension of the Angular CLI, we have inherited this issue.

npm audit reports multiple different versions of:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ng-packagr [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ng-packagr > node-sass > request > hawk > sntp > hoek        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Relevant information

@angular-devkit/build-angular/ng-packagr depend on node-sass which eventually depends on hoek

These are devDependencies which are used at build-time of your application meaning this vulnerability will not be in your deployed application. What is at risk is your build system might be at risk while building your application.

node-sass allows compilation of sass which is built into the capabilities of most Angular build systems. There is no real feasible replacement for this at the moment.

Maintainers of node-sass have a fix for this issue and are planning to address it in their 5.0.0 release. Removing this dependency would cause a breaking change for Node 4 users so they are not doing it with their 4.x.x releases. :+1:

karma depends on log4js which eventually depends on hoek

This is actually an optionalDependency which is only used if you are using the mailgun appender.

**If you are using the mailgun appender, please refer to this issue.

Maintainers of log4js are aware of this issue and have addressed it by upgrading the mailgun-js dependency. :+1:

Expected Behavior

Our dependencies fix the vulnerability. Once again, this is not something we can do within Nx and are waiting for resolutions from maintainers of our dependencies.

[FrozenPandaz]

With https://github.com/nrwl/nx/pull/783, Creating a new nx workspace will no longer have any security issues! ❇️

Workspaces will also be automatically have their dependencies updated to avoid vulnerabilities.

Jasons-MacBook-Pro:newws jason$ npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 39186 scanned packages
Jasons-MacBook-Pro:newws jason$

[github-actions[bot]]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.