Home > OS >  Compilation error due to a vulnerabilities in angular-devkit/[email protected] dependencies
Compilation error due to a vulnerabilities in angular-devkit/[email protected] dependencies

Time:04-15

After update my angular project from 8 -> last, I can't build it. Now, this is my main problem:

Result of npm install

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/portfinder/node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
        @angular-builders/custom-webpack  *
        Depends on vulnerable versions of @angular-devkit/build-angular
        node_modules/@angular-builders/custom-webpack

Reusult of npm ls async

 -- @angular-devkit/[email protected]
| `-- [email protected]
|   `-- [email protected]
|     `-- [email protected]
`-- [email protected]

CodePudding user response:

I was having this problem too. I updated my async dependency, but the main issue was that portfinder was still relying on the older version of async. I found my solution here.

I added this to my package.json:

"overrides": {
  "async": "$async"
},

This will ensure that any dependencies relying on async will use the current version you have installed. Hope this helps!

CodePudding user response:

I'd worry that the major version change (from 2.x to 3.x) might "break something" under the hood in the intermediate dependency on "portfinder".

There is a new 2.6.4 release of the "async" library (in the last 24 hours) that should patch this (referenced here: https://github.com/caolan/async/pull/1828), but npm audit scanning has not yet (as of just now) picked up that this should also resolve the Prototype Pollution vulnerability.

Also, I found that even with npm v8.5 (and node v16.14.2) the overrides don't actually do anything to remove the flagged versions unless I first fully remove the package-lock.json and delete the node_modules directory before a full clean npm install. You'd think that npm purge would do the trick but not working correctly it seems.

  • Related