Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk Vulnerability: 3 High Severity Vulnerability Found in Angular 9.1.0 #17388

Closed
kumaran-is opened this issue Apr 3, 2020 · 7 comments · Fixed by #17525
Closed

Snyk Vulnerability: 3 High Severity Vulnerability Found in Angular 9.1.0 #17388

kumaran-is opened this issue Apr 3, 2020 · 7 comments · Fixed by #17525

Comments

@kumaran-is
Copy link

🐞 bug report

Affected Package

Angular 9 uses vulnerable version of dependency package [email protected] and [email protected]. For more detail, refer to the description section

Is this a regression?

This Vulnerability was there in version 9.0.x

Description

Angular 9.1.0 has 3 high-severity vulnerabilities:

✗ High severity vulnerability found in useragent
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
Introduced through: [email protected]
From: [email protected] > [email protected]

✗ High severity vulnerability found in qs
Description: Prototype Override Protection Bypass
Info: https://snyk.io/vuln/npm:qs:20170213
Introduced through: [email protected]
From: [email protected] > [email protected] > [email protected]

✗ High severity vulnerability found in ecstatic
Description: Denial of Service (DoS)
Info: https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
Introduced through: [email protected]
From: [email protected] > [email protected]

For complete SNYK report, refer the attachment

🌍 Your Environment

Angular Version:



Angular CLI: 9.1.0
Node: 12.13.0
OS: darwin x64

Angular: 
... 
Ivy Workspace: 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.901.0
@angular-devkit/core         9.1.0
@angular-devkit/schematics   9.1.0
@schematics/angular          9.1.0
@schematics/update           0.901.0
rxjs                         
[angular 9.1.x snyk-output.txt](https://github.com/angular/angular/files/4429037/angular.9.1.x.snyk-output.txt)
6.5.4
@kumaran-is
Copy link
Author

@kara
Copy link
Contributor

kara commented Apr 3, 2020

The framework itself does not ship with those dependencies, but the CLI does use them. Transferring this issue to the CLI team for investigation.

@kara kara transferred this issue from angular/angular Apr 3, 2020
@clydin
Copy link
Member

clydin commented Apr 3, 2020

http-server is not a dependency of the Angular CLI nor installed within a new project. This was most likely installed manually within the project.

karma, however, is installed within a new project. To rectify the useragent package warning, karma would need to either change dependencies or wait for an update to the package. There is an open issue with the useragent project from June 2019 regarding this issue (3rd-Eden/useragent#147). However, no releases have been made.

@devoto13
Copy link
Contributor

devoto13 commented Apr 3, 2020

Karma has already switched to a different UA parser, but not released yet: karma-runner/karma#3440.

@kumaran-is
Copy link
Author

@alan-agius4 alan-agius4 self-assigned this Apr 22, 2020
@ngbot ngbot bot added this to the Backlog milestone Apr 22, 2020
kyliau pushed a commit that referenced this issue Apr 22, 2020
With this change we generate new workspaces with Karma version 5.
The previous version has several security vulnerabilities which were addressed in version 5.

Closes #17388 and closes #17241
@alan-agius4
Copy link
Collaborator

Closed via #17525

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators May 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants