vulnerable package version of custom-webpack being used inside build-angular for v12 #22433
Comments
|
We have the same issue on our team. This high severity security vulnerability was detected by GitHub way back in September: GHSA-whgm-jr23-g3j9 and is one of the last open issues we have, but we can't resolve it ourselves. Will we have to move to v13 to get this fixed or could v12 be updated here: https://github.com/angular/angular-cli/blob/12.2.x/packages/angular_devkit/build_angular/package.json#L75, as well? |
|
@gonadarian as per my analysis just it has to be updated to version 3.11.3. I can even work on PR but I need confirmation from any person from angular team. @alan-agius4 do you have any input in this ? |
|
@iRealNirmal, agreed - 3.11.3 switched from |
|
@alan-agius4 I can help in this, is it possible to assign it to me. If you think other wise then let me know. |
|
@iRealNirmal, sure. Note that you need to do 2 PRs, one for the v11 and another for v12. |
|
@iRealNirmal, do you think you will be able to create the PRs today? Since today we will be cutting the release, otherwise this would have to wait another week. |
|
@alan-agius4 yes I was working yesterday but just was rebuilding yarn.lock as it was having both entry. On creating new yarn.lock it was still having ansi-html:0.0.7. On further divining it, it seemed we have entry at 2 place on root package.json and in angular_devkit/build_angular. So I will update at both place, let me know if it sounds good. |
|
I am planning to raise it in max 2 to 4 hours, once I feel confident. |
|
Yeah, you need to update both package.json files. |
…est security patch webpack-dev-server version 3.11.2 was using ansi-html which is depreciated but in latest version 3.11.3 it's changed to ansi-html-community version 0.0.8 which resolves issue. closes angular#22433
…est security patch webpack-dev-server version 3.11.2 was using ansi-html which is depreciated but in latest version 3.11.3 it's changed to ansi-html-community version 0.0.8 which resolves issue. closes angular#22433
…est security patch webpack-dev-server version 3.11.2 was using ansi-html which is depreciated but in latest version 3.11.3 it's changed to ansi-html-community version 0.0.8 which resolves issue. closes #22433
…est security patch webpack-dev-server version 3.11.2 was using ansi-html which is depreciated but in latest version 3.11.3 it's changed to ansi-html-community version 0.0.8 which resolves issue. closes #22433
|
Closed via #22483 |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Recently GitHub dependbot showing vulnerability for ansi-html in package-lock.json for projects.
On back tracking it was coming from webpack-dev-server version 3.11.2 but it's removed in 3.11.3 patch update.
Once webpack-dev-server version is updated to v3.11.3 this issue will be resolved.
The text was updated successfully, but these errors were encountered: