No known vulnerability flagged

[Ryuno-Ki]

For a customer project, I'm working on an Angular SPA, which makes use of ngx-build-plus. According to npm ls v9.0.6 is installed.

I'm working with Visual Studio Code and installed Snyk VulnCost extension. I'm using the anonymous API endpoints (as in: not logged in). In package.json, that package is flagged as having a vulnerability:

Looking up on Vuln DB online shows zero results.

What is going on? I can try to capture the network traffic via Wireshark, if that would help.

[lirantal]

Hey there 👋

What's happening is that ngx-build-plus pulls in a nested dependency which has vulnerabilities in it. So the vulnerability isn't a direct one on this package but deeper down the chain from what it pulls.

You can view it here: https://snyk.io/test/npm/ngx-build-plus

If you do use the Vuln Cost plugin when signed-in it will show you that information of all the vulnerable path so you can track it.

[Ryuno-Ki]

I'd never have get that!

Hm, I get, that with login you can provide more information etc … But I don't want to mix my private account with business topics if possible (too much hassle to untangle later).

I'd miss a way to learn more (i.e. not only „fix” the vuln).

Reasoning: Perhaps the fix has unintended side consequences I can't take. But in order to decide, I'd like to know more about the vuln in question. Then, I can bring it up in an internal meeting and it can be decided, whether it's worth the risk to stay vulnerable for the time being or some refactoring is needed.

Also, this being Angular, not all vulnerabilities are critical for a bundled build (compared to a dev environment).

I'd need to look more into, whether it's possible to show alternative information. Like a link to that test page in the footer when the cursor is in the same line as the import or something. Totally accepting if this should be something for paying user / logged in users if Snyk decides to go that route.