Dependency Tree-kill 1.2.1 Vulnerability

[phoenix09208]

angular-devkit/build-angular@0.803.22 dependent on Tree-kill 1.2.1,

according to https://www.npmjs.com/advisories/1432, it is prone to command injection, please upgrade dependency to later version. Thanks

[DibyodyutiMondal]

This affects angular 9 rc-8 too

[cwilby]

A temporary workaround (that also works in situations where package maintainer has yet to release dependencies but y'know, security.)

First, run npm audit to determine which version needs to be fixed.

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tree-kill                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > tree-kill                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1432 (hi medium/hackernoon)     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Ok, we need tree-kill@1.2.2.

Go to https://registry.npmjs.org/${PACKAGE}, in this case https://registry.npmjs.org/tree-kill and copy versions.${VERSION}.dist.integrity.

For tree-kill@1.2.2, it's sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==.

Finally, open package-lock.json and change the require version of @angular-devkit/build-angular and the version/integirty for tree-kill.

{
    ...
    "dependencies": {
        "@angular-devkit/build-angular": {
            ...
            "requires": {
                ...
                "tree-kill": "1.2.2"
                ...
            }
            ...
        },
        ...
        "tree-kill": {
            "version": "1.2.2",
            "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
            "integrity": "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==",
            "dev": true
        },
        ...
    }
    ...
}

Running npm audit shouldn't find any vulnerabilities if this was the only issue.

                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities

Some caveats - when the package maintainer updates their package but doesn't update the affected required package, you'll need to do this again. However, if they do update the affected package, you won't need to do any extra work.

[alan-agius4]

Fixed via #16634