After update my angular project from 8 -> last, I can't build it. Now, this is my main problem:
Result of npm install
# npm audit report
async <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/portfinder/node_modules/async
portfinder 0.1.0 || >=0.4.0
Depends on vulnerable versions of async
node_modules/portfinder
webpack-dev-server >=2.0.0-beta
Depends on vulnerable versions of portfinder
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-builders/custom-webpack *
Depends on vulnerable versions of @angular-devkit/build-angular
node_modules/@angular-builders/custom-webpack
Reusult of npm ls async
-- @angular-devkit/[email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
`-- [email protected]
CodePudding user response:
I was having this problem too. I updated my async dependency, but the main issue was that portfinder was still relying on the older version of async. I found my solution here.
I added this to my package.json:
"overrides": {
"async": "$async"
},
This will ensure that any dependencies relying on async will use the current version you have installed. Hope this helps!
CodePudding user response:
I'd worry that the major version change (from 2.x to 3.x) might "break something" under the hood in the intermediate dependency on "portfinder".
There is a new 2.6.4 release of the "async" library (in the last 24 hours) that should patch this (referenced here: https://github.com/caolan/async/pull/1828), but npm audit scanning has not yet (as of just now) picked up that this should also resolve the Prototype Pollution vulnerability.
Also, I found that even with npm v8.5 (and node v16.14.2) the overrides don't actually do anything to remove the flagged versions unless I first fully remove the package-lock.json and delete the node_modules directory before a full clean npm install
. You'd think that npm purge
would do the trick but not working correctly it seems.