Vulnerability in ng-packager 9.1.5 #327

MathiasSpicer · 2020-10-06T18:19:34Z

There is a vulnerability in ng-packager 9.1.5 it looks like an update to 10.1.1 would fix the vulnerability.

Blackbaud-MatthewMiles · 2020-11-12T19:19:43Z

+1

Blackbaud-RakeshGarg · 2020-11-30T14:56:36Z

+3

Blackbaud-SteveBrush · 2021-01-07T16:15:19Z

The problem might be solvable without a change to Builder by running skyux upgrade followed by npm audit fix.

Blackbaud-ChristiSchneider · 2021-03-30T18:11:45Z

I don't think updating to 10.1.1 will fix all current vulnerabilities, I think we need to update to ng-packagr@11.2.1.

CVE-2021-23362 (Severity Medium 5.3) hosted-git-info@2.8.8 is vulnerable and should be updated to 3.0.8.

"hosted-git-info": "^2.1.4" is a dependency of normalize-package-data@2.5.0 => fixed in normalize-package-data >= 3.0.1
"normalize-package-data": "^2.5.0" is a dependency of read-pkg@5.2.0 => fixed in read-pkg >= 6.0.0
"read-pkg": "^5.0.0" is a dependency of read-pkg-up@5.0.0 => fixed in read-pkg-up >= 8.0.0
"read-pkg-up": "^5.0.0" is a dependency of ng-packagr@9.1.5 => removed in ng-packagr@11.2.1
"ng-packagr": "9.1.5" is a dependency of @skyux-sdk/builder@4.7.1

CVE-2020-7735 (Severity Medium 6.6) ng-packagr@9.1.5 is vulnerable and should be updated to 10.1.1

skyux upgrade and npm audit fix do not fix the issues.

Blackbaud-KerryCampbell · 2021-05-25T21:47:54Z

Blackbaud-SteveBrush added From: Consumer Impact: Medium Severity: Medium Type: Bug labels Oct 7, 2020

Blackbaud-SteveBrush self-assigned this Oct 7, 2020

Blackbaud-SteveBrush mentioned this issue Oct 21, 2020

Vulnerability in ng-packagr 9.1.5 #330

Closed

Blackbaud-SteveBrush mentioned this issue Jan 7, 2021

Fix package vulnerabilities; add support for @skyux/config@^4.4.0 #339

Closed

Blackbaud-KerryCampbell added Type: Bug and removed Type: Bug labels May 25, 2021

Provide feedback