Snyk Vulnerability: 3 High Severity Vulnerability Found in Angular 9.1.0

[kumaran-is]

🐞 bug report

Affected Package

Angular 9 uses vulnerable version of dependency package karma@4.1.0 and http-server@0.11.1. For more detail, refer to the description section

Is this a regression?

This Vulnerability was there in version 9.0.x

Description

Angular 9.1.0 has 3 high-severity vulnerabilities:

✗ High severity vulnerability found in useragent
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
Introduced through: karma@4.1.0
From: karma@4.1.0 > useragent@2.3.0

✗ High severity vulnerability found in qs
Description: Prototype Override Protection Bypass
Info: https://snyk.io/vuln/npm:qs:20170213
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > union@0.4.6 > qs@2.3.3

✗ High severity vulnerability found in ecstatic
Description: Denial of Service (DoS)
Info: https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > ecstatic@3.3.2

For complete SNYK report, refer the attachment

🌍 Your Environment

Angular Version:

Angular CLI: 9.1.0
Node: 12.13.0
OS: darwin x64

Angular: 
... 
Ivy Workspace: 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.901.0
@angular-devkit/core         9.1.0
@angular-devkit/schematics   9.1.0
@schematics/angular          9.1.0
@schematics/update           0.901.0
rxjs                         
[angular 9.1.x snyk-output.txt](https://github.com/angular/angular/files/4429037/angular.9.1.x.snyk-output.txt)
6.5.4

[kumaran-is]

angular 9.1.x snyk-output.txt

[kara]

The framework itself does not ship with those dependencies, but the CLI does use them. Transferring this issue to the CLI team for investigation.

[clydin]

http-server is not a dependency of the Angular CLI nor installed within a new project. This was most likely installed manually within the project.

karma, however, is installed within a new project. To rectify the useragent package warning, karma would need to either change dependencies or wait for an update to the package. There is an open issue with the useragent project from June 2019 regarding this issue (3rd-Eden/useragent#147). However, no releases have been made.

[devoto13]

Karma has already switched to a different UA parser, but not released yet: karma-runner/karma#3440.

[kumaran-is]

Karma release v5.0.0 is out https://github.com/karma-runner/karma/blob/master/CHANGELOG.md