Npm audit reports vulnerabilities
piozygmunt opened this issue · comments
piozygmunt commented
Type of Issue
[x] Bug Report
[ ] Feature Request
Description
Npm's audit reports following vulnerabilities in ng-packagr dependecies:
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install ng-packagr@11.2.4, which is a breaking change
node_modules/less/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver
make-dir 2.0.0 - 3.1.0
Depends on vulnerable versions of semver
node_modules/less/node_modules/make-dir
node_modules/make-dir
find-cache-dir 2.1.0 - 3.3.2
Depends on vulnerable versions of make-dir
node_modules/find-cache-dir
ng-packagr >=11.1.0
Depends on vulnerable versions of find-cache-dir
Depends on vulnerable versions of less
Depends on vulnerable versions of postcss-url
node_modules/ng-packagr
less >=3.11.2
Depends on vulnerable versions of make-dir
node_modules/less
postcss-url >=10.1.0
Depends on vulnerable versions of make-dir
node_modules/postcss-url
6 moderate severity vulnerabilities
How To Reproduce
Run npm audit
command after installing ng-packagr
Expected Behaviour
No vulnerabilities should be returned.
Version Information
$ node_modules/.bin/ng-packagr --version
ng-packagr: 16.1.0
Alan Agius commented
Thanks for reporting this issue, however this issue is caused by less
.
github-actions commented
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
This action has been performed automatically by a bot.