Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade @angular package versions #11

Merged
merged 1 commit into from Jun 19, 2018
Merged

Upgrade @angular package versions #11

merged 1 commit into from Jun 19, 2018

Conversation

mezarin
Copy link
Member

@mezarin mezarin commented Jun 16, 2018
edited

Addresses issue: #10

Upgrade @angular and other dependencies to more recent versions to remove various security vulnerabilities. One of them being the one reported: wycats / handlebars.js handlebars CVE-2015-8861.

A workaround is being introduced for the vulnerability associated with the hoek package: CVE-2018-3728 (updated package-lock.json to use hoek 4.2.1). angular-devkit/build-angular@0.6.* appears to have the same issue.

For more details see: 
https://github.com/angular/angular-cli/issues/10480

npm ls hoek
└─┬ @angular-devkit/build-angular@0.6.8
  └─┬ node-sass@4.9.0
    └─┬ request@2.79.0
      └─┬ hawk@3.1.3
        ├─┬ boom@2.10.1
        │ └── hoek@2.16.3  deduped
        ├── hoek@2.16.3 
        └─┬ sntp@1.0.9
          └── hoek@2.16.3  deduped

Another workaround (update package-lock.json to use tunnel-agent@0.6.0) was introduced for vulnerability:
WARN notice [SECURITY] tunnel-agent has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=tunnel-agent&version=0.4.3

Here are a couple of pertinent karma package security vulnerability related issues that are still open:

https://github.com/karma-runner/karma/issues/2994
https://github.com/IntegratedAlarmSystem-Group/ias-display/issues/28

@mezarin mezarin requested review from dshimo and kaczyns June 18, 2018 15:08
dshimo
dshimo approved these changes Jun 19, 2018
View reviewed changes
Copy link
Contributor

@dshimo dshimo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@mezarin mezarin merged commit 17a46e4 into OpenLiberty:master Jun 19, 2018
@mezarin mezarin deleted the upgradeAngularVersion branch September 18, 2018 22:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaczyns kaczyns kaczyns approved these changes

@dshimo dshimo dshimo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mezarin @kaczyns @dshimo