ng-packagr-11.0.3.tgz: 15 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - ng-packagr-11.0.3.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-44906	High	9.8	minimist-1.2.5.tgz	Transitive	12.0.0-next.9	❌
CVE-2021-3807	High	7.5	ansi-regex-5.0.0.tgz	Transitive	11.1.0	❌
CVE-2020-28469	High	7.5	glob-parent-5.1.1.tgz	Transitive	11.1.0	❌
CVE-2021-28092	High	7.5	is-svg-3.0.0.tgz	Transitive	11.1.0	❌
CVE-2021-33502	High	7.5	normalize-url-3.3.0.tgz	Transitive	12.0.0-next.9	❌
CVE-2021-33587	High	7.5	css-what-3.4.2.tgz	Transitive	12.0.0-next.9	❌
WS-2021-0152	High	7.5	color-string-1.5.4.tgz	Transitive	11.1.0	❌
CVE-2021-29059	High	7.5	is-svg-3.0.0.tgz	Transitive	11.1.0	❌
CVE-2021-23343	High	7.5	path-parse-1.0.6.tgz	Transitive	11.1.0	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	12.0.0-next.9	❌
CVE-2021-29060	Medium	5.3	color-string-1.5.4.tgz	Transitive	11.1.0	❌
CVE-2021-23382	Medium	5.3	postcss-7.0.35.tgz	Transitive	11.1.0	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.8.8.tgz	Transitive	11.1.0	❌
CVE-2021-23364	Medium	5.3	browserslist-4.15.0.tgz	Transitive	11.1.0	❌
CVE-2021-23368	Medium	5.3	postcss-7.0.35.tgz	Transitive	11.1.0	❌

Details

CVE-2021-44906

### Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/minimist/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - postcss-url-8.0.0.tgz - mkdirp-0.5.5.tgz - :x: **minimist-1.2.5.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/issues/164

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-3807

### Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - ora-5.1.0.tgz - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-28469

### Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/glob-parent/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - chokidar-3.4.3.tgz - :x: **glob-parent-5.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-28092

### Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/is-svg/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - :x: **is-svg-3.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution (is-svg): 4.2.2

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-33502

### Vulnerable Library - normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/normalize-url/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-normalize-url-4.0.1.tgz - :x: **normalize-url-3.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-33587

### Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/css-what/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **css-what-3.4.2.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

WS-2021-0152

### Vulnerable Library - color-string-1.5.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/color-string/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-colormin-4.0.3.tgz - color-3.1.3.tgz - :x: **color-string-1.5.4.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-29059

### Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/is-svg/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - :x: **is-svg-3.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0

Release Date: 2021-06-21

Fix Resolution (is-svg): 4.3.0

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23343

### Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/path-parse/package.json,/aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/path-parse/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - plugin-commonjs-15.1.0.tgz - resolve-1.19.0.tgz - :x: **path-parse-1.0.6.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/jbgutierrez/path-parse/issues/8

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-3803

### Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/nth-check/package.json

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-29060

### Vulnerable Library - color-string-1.5.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/color-string/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - cssnano-preset-default-4.0.7.tgz - postcss-colormin-4.0.3.tgz - color-3.1.3.tgz - :x: **color-string-1.5.4.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Publish Date: 2021-06-21

URL: CVE-2021-29060

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-257v-vj4p-3w2h

Release Date: 2021-06-21

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23382

### Vulnerable Library - postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - :x: **postcss-7.0.35.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23362

### Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/hosted-git-info/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - read-pkg-up-5.0.0.tgz - read-pkg-5.2.0.tgz - normalize-package-data-2.5.0.tgz - :x: **hosted-git-info-2.8.8.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23364

### Vulnerable Library - browserslist-4.15.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.15.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/browserslist/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - :x: **browserslist-4.15.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23368

### Vulnerable Library - postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json

Dependency Hierarchy: - ng-packagr-11.0.3.tgz (Root Library) - :x: **postcss-7.0.35.tgz** (Vulnerable Library)

Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088

Found in base branch: develop

### Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (ng-packagr): 11.1.0

Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

thor-it / thor-sso

ng-packagr-11.0.3.tgz: 15 vulnerabilities (highest severity is: 9.8) - autoclosed #33

Vulnerabilities

Details