Npm audit reports vulnerabilities

Question

Npm audit reports vulnerabilities

piozygmunt opened this issue a year ago · comments

Type of Issue

[x] Bug Report
[ ] Feature Request

Description

Npm's audit reports following vulnerabilities in ng-packagr dependecies:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install ng-packagr@11.2.4, which is a breaking change
node_modules/less/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/less/node_modules/make-dir
  node_modules/make-dir
    find-cache-dir  2.1.0 - 3.3.2
    Depends on vulnerable versions of make-dir
    node_modules/find-cache-dir
      ng-packagr  >=11.1.0
      Depends on vulnerable versions of find-cache-dir
      Depends on vulnerable versions of less
      Depends on vulnerable versions of postcss-url
      node_modules/ng-packagr
    less  >=3.11.2
    Depends on vulnerable versions of make-dir
    node_modules/less
    postcss-url  >=10.1.0
    Depends on vulnerable versions of make-dir
    node_modules/postcss-url

6 moderate severity vulnerabilities

How To Reproduce

Run npm audit command after installing ng-packagr

Expected Behaviour

No vulnerabilities should be returned.

Version Information

$ node_modules/.bin/ng-packagr --version
ng-packagr: 16.1.0

Alan Agius · Answer 1 · Tue Jun 27 2023 19:18:38 GMT+0800 (China Standard Time)

Thanks for reporting this issue, however this issue is caused by less.

github-actions · Answer 2 · Fri Jul 28 2023 09:01:13 GMT+0800 (China Standard Time)

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

_{This action has been performed automatically by a bot.}