Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

NPM Audit Failure = @angular-devkit/build-angular #14138

Closed
Adam-Kernig opened this issue Apr 11, 2019 · 46 comments

Comments

Projects
None yet
@Adam-Kernig
Copy link

commented Apr 11, 2019

馃悶 Bug report

Command (mark with an x)

  • [ X ] new
  • build
  • serve
  • test
  • e2e
  • generate
  • add
  • update
  • lint
  • xi18n
  • run
  • config
  • help
  • version
  • doc

### Is this a regression?
no

### Description
Up to date NG CLI, creating a new project, npm audit strikes


## 馃敩 Minimal Reproduction
Up to date NG CLI, creating a new project, npm audit strikes

## 馃敟 Exception or Error
<pre><code>
鈹屸攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹                                Manual Review                                 鈹
鈹            Some vulnerabilities require your attention to resolve            鈹
鈹                                                                              鈹
鈹         Visit https://go.npm.me/audit-guide for additional guidance          鈹
鈹斺攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹屸攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 High          鈹 Arbitrary File Overwrite                                     鈹
鈹溾攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹尖攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 Package       鈹 tar                                                          鈹
鈹溾攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹尖攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 Patched in    鈹 >=4.4.2                                                      鈹
鈹溾攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹尖攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 Dependency of 鈹 @angular-devkit/build-angular [dev]                          鈹
鈹溾攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹尖攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 Path          鈹 @angular-devkit/build-angular > node-sass > node-gyp > tar   鈹
鈹溾攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹尖攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
鈹 More info     鈹 https://npmjs.com/advisories/803                             鈹
鈹斺攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹粹攢鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹鈹
</code></pre>


## 馃實 Your Environment
<pre><code>
Angular CLI: 7.3.8
Node: 10.15.0
OS: darwin x64
Angular: 
... 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.13.8
@angular-devkit/core         7.3.8
@angular-devkit/schematics   7.3.8
@schematics/angular          7.3.8
@schematics/update           0.13.8
rxjs                         6.3.3
typescript                   3.2.4
</code></pre>

**Anything else relevant?**
Nothing further
@alan-agius4

This comment has been minimized.

Copy link
Collaborator

commented Apr 11, 2019

Hi, thanks for reporting this, however this is caused by an upstream package and will be fixed when they release a new version nodejs/node-gyp#1714

@spp125

This comment has been minimized.

Copy link

commented Apr 11, 2019

I am having the same issue.

@cap-akimrey

This comment has been minimized.

Copy link

commented Apr 11, 2019

v4.4.8 was just released.

@chet-manley

This comment has been minimized.

Copy link

commented Apr 11, 2019

Looks like node-gyp already took care of it.
nodejs/node-gyp#1713

@Adam-Kernig

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

Im guessing with it now being resolved we can expect this in the next release?

@HansITChange

This comment has been minimized.

Copy link

commented Apr 12, 2019

Building a new app still generates the same error

@alan-agius4

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2019

node-sass are using an older version of node-gyp. hence we are still blocked on this.

See: sass/node-sass#2625

@ignaciorecuerda

This comment has been minimized.

Copy link

commented Apr 12, 2019

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

@Adam-Kernig

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

Do NOT manually edit the lock file.

@Adam-Kernig

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

Do NOT manually edit the lock file.

Then how should it be done?

Wait till sass is updated and give the angular chaps time, it's friday (for us anyway) We aren't releasing this weekend.

The Angular guys are extremely quick at resolving issues, patience is key.

salvo-github added a commit to salvo-github/ui_learning that referenced this issue Apr 12, 2019

ShahanaFarooqui added a commit to ShahanaFarooqui/RTL that referenced this issue Apr 14, 2019

Fix issue #114
Manually removed vulnerability by upgrading 'tar' package from 2.2.1 to 4.4.8 (https://stackoverflow.com/questions/55635378/angular-devkit-build-angular-arbitrary-file-overwrite). angular-devkit and node-sass issues are still open. (angular/angular-cli#14138, sass/node-sass#2625). Will permanently be fixed once above 2 issues are addressed by Angular and node-sass teams.
@lenichols

This comment has been minimized.

Copy link

commented Apr 15, 2019

+1

@cbutton01

This comment has been minimized.

Copy link

commented Apr 17, 2019

I am also having this issue, any news on an update?

@michalmotorola

This comment has been minimized.

Copy link

commented Apr 18, 2019

I also have this problem. We wait few days with merges.

@Hallight

This comment has been minimized.

Copy link

commented Apr 19, 2019

Any update on this?

@alan-agius4

This comment has been minimized.

Copy link
Collaborator

commented Apr 22, 2019

Hi all, node-sass have yet to fix the issue see: sass/node-sass#2625
At this point we are blocked until they do the fix and cut a release.

@subhashkonda

This comment has been minimized.

Copy link

commented Apr 22, 2019

Our CI pipe lines throwing this vulnerability, so what is ETA of this Issue?

@pablocid

This comment has been minimized.

Copy link

commented May 10, 2019

any updates?

@pablocid

This comment has been minimized.

Copy link

commented May 10, 2019

any updates?

@IsAmrish

This comment has been minimized.

Copy link

commented May 13, 2019

any updates? cannot wait for the right solution.

@pl4yradam

This comment has been minimized.

Copy link

commented May 13, 2019

@art3miz18

This comment has been minimized.

Copy link

commented May 13, 2019

still waiting for an apropriate solution :(

@subhashkonda

This comment has been minimized.

Copy link

commented May 13, 2019

Any ETA on this as our CI builds complain about this vulnerability.

josephkane added a commit to josephkane/supergiant that referenced this issue May 13, 2019

Update Frontend Deps
* update frontend deps to deal with security alerts

* 2 fixes are still outstanding: sass/node-sass#2625, angular/angular-cli#14138

@josephkane josephkane referenced this issue May 13, 2019

Merged

Update Frontend Deps #1429

3 of 7 tasks complete
@MacGyver214

This comment has been minimized.

Copy link

commented May 13, 2019

@subhashkonda @art3miz18 @pl4yradam @IsAmrish @pablocid I think it's safe to say if you still see the blocked tag on this issue, they are unable to execute work to fix it. Keep an eye on the fixes this work is dependent on, it's all been documented above what is needed for the Angular team to do what they need to do.

@pl4yradam

This comment has been minimized.

Copy link

commented May 14, 2019

@MacGyver214 im not sure why I have been tagged as I was providing a link to the issue?

@franciscojsr

This comment has been minimized.

Copy link

commented May 14, 2019

Hi! It's gonna be fix this issue soon? Thanks!
Angular-cli messages code errors not showing becouse this issue.

@AlanCrevon

This comment has been minimized.

Copy link

commented May 14, 2019

For those wondering why fixing this issue takes so long, have a look at npm/node-tar#213 : they are facing a corner case where updating a library might cause more problems than leaving the security breach open.

Let鈥檚 hope someone will find a way to solve this. :)

gopherstein added a commit to supergiant/control that referenced this issue May 14, 2019

Update Frontend Deps (#1429)
* update frontend deps to deal with security alerts

* 2 fixes are still outstanding: sass/node-sass#2625, angular/angular-cli#14138

@alan-agius4 alan-agius4 pinned this issue May 14, 2019

@michel-jump

This comment has been minimized.

Copy link

commented May 15, 2019

New version of tar just has been released:
npm/node-tar#212 (comment)

Node-sass:
sass/node-sass#2625 (comment)

@alan-agius4

This comment has been minimized.

Copy link
Collaborator

commented May 16, 2019

Closing the issue as this seems to have been fixed upstream without the need to do any changes from our side.

@pl4yradam

This comment has been minimized.

Copy link

commented May 16, 2019

@franciscojsr

This comment has been minimized.

Copy link

commented May 16, 2019

Yes! I just did: npm audit fix and solved!

@clydin clydin removed the blocked label May 16, 2019

@subhashkonda

This comment has been minimized.

Copy link

commented May 16, 2019

Npm audit fix fixed all issues in my local, but I still see in my CI build showing the tar 2.2.2 high vulnerability. Do you see the issue is still open or is this seems to be my CI Build specific.
Does anyone facing the same ?

@ShahanaFarooqui

This comment has been minimized.

Copy link

commented May 17, 2019

@subhashkonda i am also facing the same issue with github. Veulnerability fixed on my local but Github still shows it vulnerable. They might need some more time to update their audit list :).

@xaviergxf

This comment has been minimized.

Copy link

commented May 17, 2019

@alan-agius4 do you know when the dependency will be updated, and a new version of @angular-devkit/build-angular will be released on version 7 (stable)?

@salah3x

This comment has been minimized.

Copy link

commented May 17, 2019

@xaviergxf, I don't think they need a new release for this issue since it's been fixed upstream.

@alan-agius4

This comment has been minimized.

Copy link
Collaborator

commented May 18, 2019

Indeed no release is needed from our side.

@weidenhaus

This comment has been minimized.

Copy link

commented May 27, 2019

27 May 2019 - Still facing the same issue when creating new Angular project via CLI - 12 high vulnerabilities found.

The following solved it for me:

npm i -D node-sass node-pre-gyp node-gyp tar
@subhashkonda

This comment has been minimized.

Copy link

commented Jun 6, 2019

I still have this same issue in CI Builds but in local it is all fine npm audit gives 0 vulnerabilities, So what can be done here???

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can鈥檛 perform that action at this time.