Compilation error due to a vulnerabilities in angular-devkit/build-angular@13.3.2 dependencies-CodePudding

After update my angular project from 8 -> last, I can't build it. Now, this is my main problem:

Result of npm install

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/portfinder/node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
        @angular-builders/custom-webpack  *
        Depends on vulnerable versions of @angular-devkit/build-angular
        node_modules/@angular-builders/custom-webpack

Reusult of npm ls async

 -- @angular-devkit/[email protected]
| `-- [email protected]
|   `-- [email protected]
|     `-- [email protected]
`-- [email protected]

CodePudding user response：

I was having this problem too. I updated my async dependency, but the main issue was that portfinder was still relying on the older version of async. I found my solution here.

I added this to my package.json:

"overrides": {
  "async": "$async"
},

This will ensure that any dependencies relying on async will use the current version you have installed. Hope this helps!

CodePudding user response：

I'd worry that the major version change (from 2.x to 3.x) might "break something" under the hood in the intermediate dependency on "portfinder".

There is a new 2.6.4 release of the "async" library (in the last 24 hours) that should patch this (referenced here: https://github.com/caolan/async/pull/1828), but npm audit scanning has not yet (as of just now) picked up that this should also resolve the Prototype Pollution vulnerability.

Also, I found that even with npm v8.5 (and node v16.14.2) the overrides don't actually do anything to remove the flagged versions unless I first fully remove the package-lock.json and delete the node_modules directory before a full clean npm install. You'd think that npm purge would do the trick but not working correctly it seems.