Skip to content
This repository has been archived by the owner on Dec 8, 2022. It is now read-only.

Vulnerability in ng-packager 9.1.5 #327

Open
MathiasSpicer opened this issue Oct 6, 2020 · 5 comments
Open

Vulnerability in ng-packager 9.1.5 #327

MathiasSpicer opened this issue Oct 6, 2020 · 5 comments

Comments

@MathiasSpicer
Copy link

There is a vulnerability in ng-packager 9.1.5 it looks like an update to 10.1.1 would fix the vulnerability.

@Blackbaud-MatthewMiles
Copy link

Blackbaud-MatthewMiles commented Nov 12, 2020

+1

@ghost
Copy link

ghost commented Nov 30, 2020

+3

@Blackbaud-SteveBrush
Copy link
Member

The problem might be solvable without a change to Builder by running skyux upgrade followed by npm audit fix.

@Blackbaud-ChristiSchneider
Copy link
Contributor

I don't think updating to 10.1.1 will fix all current vulnerabilities, I think we need to update to ng-packagr@11.2.1.

CVE-2021-23362 (Severity Medium 5.3) hosted-git-info@2.8.8 is vulnerable and should be updated to 3.0.8.

  • "hosted-git-info": "^2.1.4" is a dependency of normalize-package-data@2.5.0 => fixed in normalize-package-data >= 3.0.1
  • "normalize-package-data": "^2.5.0" is a dependency of read-pkg@5.2.0 => fixed in read-pkg >= 6.0.0
  • "read-pkg": "^5.0.0" is a dependency of read-pkg-up@5.0.0 => fixed in read-pkg-up >= 8.0.0
  • "read-pkg-up": "^5.0.0" is a dependency of ng-packagr@9.1.5 => removed in ng-packagr@11.2.1
  • "ng-packagr": "9.1.5" is a dependency of @skyux-sdk/builder@4.7.1

CVE-2020-7735 (Severity Medium 6.6) ng-packagr@9.1.5 is vulnerable and should be updated to 10.1.1

skyux upgrade and npm audit fix do not fix the issues.

@Blackbaud-KerryCampbell

1595514

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants