Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loader-utils is vulnerable. Will install @angular-devkit/build-angular@12.2.18 #24241

Closed
pawan-gwebs opened this issue Nov 16, 2022 · 10 comments
Closed

loader-utils is vulnerable. Will install @angular-devkit/build-angular@12.2.18 #24241

pawan-gwebs opened this issue Nov 16, 2022 · 10 comments
Labels
area: @angular-devkit/build-angular severity6: security

Comments

@pawan-gwebs
Copy link

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

No

Description

npm audit

npm audit report

loader-utils 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@12.2.18, which is a breaking change
node_modules/loader-utils
@angular-devkit/build-angular 13.0.0-next.0 - 15.0.0-rc.3
Depends on vulnerable versions of loader-utils
node_modules/@angular-devkit/build-angular

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run ng version)

No response

Anything else?

No response
@pkozlowski-opensource pkozlowski-opensource transferred this issue from angular/angular Nov 16, 2022
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Nov 16, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update loader-utils to 3.2.1
0429d36 
`loader-utils` is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable.

See: GHSA-3rfm-jhwj-7488

Closes angular#24241
@alan-agius4 alan-agius4 mentioned this issue Nov 16, 2022
Merged
@alan-agius4
Copy link
Collaborator

We do not expect that the Angular CLI is used on production where this vulnerability can be exploited. That said, we will update loader-utils in version 13.3 and 14.2 of the Angular CLI.

Please be aware that Angular version 12 is no longer under support. See https://angular.io/guide/releases#actively-supported-versions

alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Nov 16, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update loader-utils to 3.2.1
44c3c46 
`loader-utils` is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable.

See: GHSA-3rfm-jhwj-7488

Closes angular#24241
@alan-agius4 alan-agius4 mentioned this issue Nov 16, 2022
Merged
@gon250
Copy link

gon250 commented Nov 16, 2022

I'm having the issue while working with angular-13

npm audit output:

# npm audit report

loader-utils  2.0.0 - 2.0.3 || 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)  - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)  - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@12.2.18, which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/loader-utils
node_modules/loader-utils
  @angular-devkit/build-angular  13.0.0-next.0 - 15.0.0-rc.3
  Depends on vulnerable versions of loader-utils
  node_modules/@angular-devkit/build-angular

package.json details:

"devDependencies": {
    "@angular-devkit/build-angular": "^13.3.9",
    "@angular-eslint/builder": "13.0.1",
    "@angular-eslint/eslint-plugin": "13.0.1",
    "@angular-eslint/eslint-plugin-template": "13.0.1",
    "@angular-eslint/schematics": "13.0.1",
   ....
}

@pawan-gwebs
Copy link
Author

We do not expect that the Angular CLI is used on production where this vulnerability can be exploited. That said, we will update loader-utils in version 13.3 and 14.2 of the Angular CLI.

Please be aware that Angular version 12 is no longer under support. See https://angular.io/guide/releases#actively-supported-versions

We are already on Angular version 14.2.9 and I have this in "devDependencies" { "@angular-devkit/build-angular": "^14.2.9" }
This warning was not in "@angular-devkit/build-angular": "^14.2.7".
This vulnerability issue is due to "loader-utils" dependency of "@angular-devkit/build-angular". May be in latest version "loader-utils".

alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Nov 16, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update loader-utils to 3.2.1
0ee6421 
`loader-utils` is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable.

See: GHSA-3rfm-jhwj-7488

Closes angular#24241
dgp1130 pushed a commit that referenced this issue Nov 16, 2022
@alan-agius4 @dgp1130
fix(@angular-devkit/build-angular): update loader-utils to 3.2.1
f298ebb 
`loader-utils` is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable.

See: GHSA-3rfm-jhwj-7488

Closes #24241
dgp1130 pushed a commit that referenced this issue Nov 16, 2022
@alan-agius4 @dgp1130
fix(@angular-devkit/build-angular): update loader-utils to 3.2.1
21cea0b 
`loader-utils` is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable.

See: GHSA-3rfm-jhwj-7488

Closes #24241
@alan-agius4
Copy link
Collaborator

Closed via #24243

@pawan-gwebs
Copy link
Author

pawan-gwebs commented Nov 17, 2022
edited
Loading

@alan-agius4
Is your last change has published? I can see only version 15 of "@angular-devkit/build-angular" published 9 hours ago. but no fix on 14.2.9 version of "@angular-devkit/build-angular". I think, new update should be there with fix in version 14.2.x

@alan-agius4
Copy link
Collaborator

@pawan-gwebs, it has not been released yet. Likely it will be released later on during the day today..

@pawan-gwebs
Copy link
Author

@pawan-gwebs, it has not been released yet. Likely it will be released later on during the day today..

@alan-agius4 Thank you! for the quick update.

@gon250
Copy link

gon250 commented Nov 17, 2022

will this change be included in the version 13.x ?? in case it will not be applayed I can create a PR pointing to the right place. thanks @alan-agius4

@alan-agius4
Copy link
Collaborator

@gon250, yes it will. (#24242)

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Dec 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area: @angular-devkit/build-angular severity6: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gon250 @alan-agius4 @pawan-gwebs