Vulnerability in inflight dependency in the dependency chain of @angular-devkit/build-angular

[brayanlelo8]

Command

build

Description

I have identified a vulnerability in the dependency chain of @angular-devkit/build-angular, specifically in the inflight dependency. The inflight library has not received updates or support and presents a critical resource release vulnerability.

Describe the solution you'd like

Dependency name: inflight
Version: 1.0.6
Vulnerability description: Missing Release of Resource after Effective Lifetime
Technical details:

• Affected package: inflight

• Detailed vulnerability path:

@angular-devkit/build-angular@18.0.3 › babel-plugin-istanbul@6.1.1 › test-exclude@6.0.0 › glob@7.2.3 › inflight@1.0.6

• Description: The affected versions of this package are vulnerable to missing release of resource after effective lifetime via the makeres function. Improperly deleting keys from the reqs object after executing callbacks causes the keys to remain in the reqs object, leading to resource exhaustion, which can result in node process or application crash.

Describe alternatives you've considered

• The babel-plugin-istanbul@6.1.1 library has not been updated in over 3 years, suggesting it is no longer maintained.

• However, the test-exclude and glob libraries have received updates and are currently maintained, indicating that the problem mainly lies with the outdated babel-plugin-istanbul.

• PoC (Proof of Concept)

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }

  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

[JeanMeche]

Right now, upstream hasn't fixed the issue:

• inflight - This package has been deprecated istanbuljs/babel-plugin-istanbul#294

[brayanlelo8]

Understood, but keep in mind that this library has not received support for over 3 years. Over time, new vulnerabilities could emerge in this library. We need to find a solution soon, as OWASP Dependency-Check could detect these vulnerabilities at any moment.

[andrew-corliss]

Hello Question;

We are using Checkmarx for Dependency Vulnerability checks and inflight has started to trigger as a Vulnerability in the application. The application is running on Angular v 16.2.12. Given that v16 is in LTS and should receive vulnerability updates will this change be merged as well to support version 16 or will the application need to be updated to another version.

Thank you.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}