Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype pollution in @angular-devkit/build-angular caused by object-path < 0.11.5 #19134

Closed
1 of 16 tasks
dennisheer opened this issue Oct 20, 2020 · 3 comments · Fixed by #19137
Closed
1 of 16 tasks

Prototype pollution in @angular-devkit/build-angular caused by object-path < 0.11.5 #19134

dennisheer opened this issue Oct 20, 2020 · 3 comments · Fixed by #19137
Assignees
@alan-agius4
Labels
area: @angular-devkit/build-angular devkit/build-angular:browser freq3: high severity6: security
Milestone
needsTriage

Comments

@dennisheer
Copy link

dennisheer commented Oct 20, 2020
edited
Loading

🐞 Bug report

Command (mark with an x)

  • npm audit
  • new
  • build
  • serve
  • test
  • e2e
  • generate
  • add
  • update
  • lint
  • xi18n
  • run
  • config
  • help
  • version
  • doc

Is this a regression?

Yes, the previous version in which this bug was not present was: `0.901.6`. The affected version of `@angular-devkit/build-angular` is `0.1001.7`.

Description

Executing npm audit results in a high vulnerability (prototype-pollution) found for object-path < 0.11.5. See https://www.npmjs.com/advisories/1573 for further information.

🔬 Minimal Reproduction

  1. Run ng new repro-app && cd repro-app
  2. Install @angular-devkit/build-angular with version 0.1001.7 by running npm i @angular-devkit/build-angular@0.1001.7
  3. (Run npm audit)

🔥 Exception or Error

Screenshot 2020-10-20 at 09 39 42

🌍 Your Environment

Angular CLI: 10.1.7
Node: 12.19.0
OS: darwin x64

Angular: 10.1.6
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router, service-worker
Ivy Workspace: Yes

Package                            Version
------------------------------------------------------------
@angular-devkit/architect          0.1001.7
@angular-devkit/build-angular      0.1001.7
@angular-devkit/build-ng-packagr   0.1001.7
@angular-devkit/core               10.1.7
@angular-devkit/schematics         10.1.7
@angular/cdk                       10.2.5
@angular/cli                       10.1.7
@schematics/angular                10.1.7
@schematics/update                 0.1001.7
ng-packagr                         10.1.2
rxjs                               6.6.3
typescript                         4.0.3

Anything else relevant?

No.
@ngbot ngbot bot modified the milestone: needsTriage Oct 20, 2020
@alan-agius4
Copy link
Collaborator

Blocked on bholloway/resolve-url-loader#170

@alan-agius4 alan-agius4 self-assigned this Oct 20, 2020
alan-agius4 pushed a commit that referenced this issue Oct 20, 2020
@renovate-bot @alan-agius4
fix(@angular-devkit/build-angular): update resolve-url-loader to vers…
9074d00 
…ion 3.1.2

Closes: #19134
@alan-agius4 alan-agius4 linked a pull request Oct 20, 2020 that will close this issue
build: update resolve-url-loader to version 3.1.2 #19137
Merged
1 task
alan-agius4 pushed a commit that referenced this issue Oct 20, 2020
@renovate-bot @alan-agius4
fix(@angular-devkit/build-angular): update resolve-url-loader to vers…
46ef4cf 
…ion 3.1.2

Closes: #19134
alan-agius4 pushed a commit that referenced this issue Oct 20, 2020
@renovate-bot @alan-agius4
fix(@angular-devkit/build-angular): update resolve-url-loader to vers…
4052d54 
…ion 3.1.2

Closes: #19134
(cherry picked from commit 46ef4cf)
alan-agius4 pushed a commit that referenced this issue Oct 20, 2020
@renovate-bot @alan-agius4
fix(@angular-devkit/build-angular): update resolve-url-loader to vers…
c430d36 
…ion 3.1.2

Closes: #19134
(cherry picked from commit 46ef4cf)
@DSigmund
Copy link

Please Update the npm-module? Thank you :-)

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Nov 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alan-agius4 alan-agius4

Labels
area: @angular-devkit/build-angular devkit/build-angular:browser freq3: high severity6: security
Projects
None yet
Milestone
needsTriage
Development

Successfully merging a pull request may close this issue.

build: update resolve-url-loader to version 3.1.2 angular/angular-cli
3 participants
@DSigmund @dennisheer @alan-agius4