Closed FrozenPandaz closed 5 years ago
With https://github.com/nrwl/nx/pull/783, Creating a new nx workspace will no longer have any security issues! ❇️
Workspaces will also be automatically have their dependencies updated to avoid vulnerabilities.
Jasons-MacBook-Pro:newws jason$ npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 39186 scanned packages
Jasons-MacBook-Pro:newws jason$
This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.
Preface
We cannot address this directly within Nx. We believe this vulnerability is important to address but do not think the risk is high.
This issue is to provide a detailed report of my findings about the vulnerability as well as to track progress of its resolution.
Current Behavior
Nx workspaces and Angular CLI workspaces in general have a Moderate vulnerability as reported by
npm audit
. Because Nx is an extension of the Angular CLI, we have inherited this issue.npm audit
reports multiple different versions of:Relevant information
@angular-devkit/build-angular
/ng-packagr
depend onnode-sass
which eventually depends onhoek
These are
devDependencies
which are used at build-time of your application meaning this vulnerability will not be in your deployed application. What is at risk is your build system might be at risk while building your application.node-sass
allows compilation of sass which is built into the capabilities of most Angular build systems. There is no real feasible replacement for this at the moment.Maintainers of
node-sass
have a fix for this issue and are planning to address it in their5.0.0
release. Removing this dependency would cause a breaking change for Node 4 users so they are not doing it with their4.x.x
releases. :+1:karma
depends onlog4js
which eventually depends onhoek
This is actually an
optionalDependency
which is only used if you are using themailgun
appender.**If you are using the
mailgun
appender, please refer to this issue.Maintainers of
log4js
are aware of this issue and have addressed it by upgrading themailgun-js
dependency. :+1:Expected Behavior
Our dependencies fix the vulnerability. Once again, this is not something we can do within Nx and are waiting for resolutions from maintainers of our dependencies.