From 1f980ad31c0cb374e10d0d3a5e32248cb8827568 Mon Sep 17 00:00:00 2001 From: Sofia Boldyreva Date: Wed, 24 Sep 2025 15:04:48 +0200 Subject: [PATCH 1/3] JavaScript docs updates --- .../angular/README.md | 102 ++++++++++++++---- .../angularjs/README.md | 41 ++++--- .../lodash/README.md | 19 +++- 3 files changed, 123 insertions(+), 39 deletions(-) diff --git a/docs/els-for-runtimes-and-libraries/angular/README.md b/docs/els-for-runtimes-and-libraries/angular/README.md index e6492ed76..1ba988adc 100644 --- a/docs/els-for-runtimes-and-libraries/angular/README.md +++ b/docs/els-for-runtimes-and-libraries/angular/README.md @@ -83,7 +83,8 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal "karma-jasmine-html-reporter": "~2.0.0", "typescript": "~4.7.2" }, - "overrides": { + "overrides": + { "@angular/animations": "npm:@els-js/angular-animations@14.3.0-tuxcare.1", "@angular/common": "npm:@els-js/angular-common@14.3.0-tuxcare.1", "@angular/compiler": "npm:@els-js/angular-compiler@14.3.0-tuxcare.1", @@ -92,7 +93,16 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal "@angular/platform-browser": "npm:@els-js/angular-platform-browser@14.3.0-tuxcare.1", "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@14.3.0-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@14.3.0-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "@babel/runtime": "7.26.10", + "esbuild": "0.25.0", + "webpack-dev-middleware": "5.3.4", + "webpack-dev-server": "5.2.1", + "webpack": "5.94.0", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } } ``` @@ -153,7 +163,15 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@15.2.10-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@15.2.10-tuxcare.1", "@angular/compiler-cli": "npm:@els-js/angular-compiler-cli@15.2.10-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "@babel/runtime": "7.26.10", + "esbuild": "0.25.0", + "webpack-dev-server": "5.2.1", + "webpack": "5.94.0", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } } ``` @@ -205,7 +223,8 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal "karma-jasmine-html-reporter": "~2.1.0", "typescript": "~5.1.3" }, - "overrides": { + "overrides": + { "@angular/animations": "npm:@els-js/angular-animations@16.2.12-tuxcare.1", "@angular/common": "npm:@els-js/angular-common@16.2.12-tuxcare.1", "@angular/compiler": "npm:@els-js/angular-compiler@16.2.12-tuxcare.1", @@ -214,7 +233,15 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal "@angular/platform-browser": "npm:@els-js/angular-platform-browser@16.2.12-tuxcare.1", "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@16.2.12-tuxcare.1", "@angular/compiler-cli": "npm:@els-js/angular-compiler-cli@16.2.12-tuxcare.1", - "@angular/router": "npm:@els-js/angular-router@16.2.12-tuxcare.1" + "@angular/router": "npm:@els-js/angular-router@16.2.12-tuxcare.1", + "rxjs": "^7.4.0", + "@babel/runtime": "7.26.10", + "esbuild": "0.25.0", + "webpack-dev-server": "5.2.1", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } } ``` @@ -314,7 +341,17 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal -5. Ensure your npm is up to date. +5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands: + + + + ```text + rm -rf node_modules package-lock.json && npm cache clean --force + ``` + + + +6. Ensure your npm is up to date. :::tip @@ -330,7 +367,7 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal ::: -6. Run the following command to install ELS for Angular dependencies (token for the TuxCare repository will be automatically picked up from your `.npmrc` file): +7. Run the following command to install ELS for Angular dependencies (token for the TuxCare repository will be automatically picked up from your `.npmrc` file): @@ -343,17 +380,12 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal You will see an output like: ```text - changed 8 packages, and audited 994 packages in 3s - - 128 packages are looking for funding + added 925 packages, and audited 926 packages in 3m + + 158 packages are looking for funding run `npm fund` for details - 10 vulnerabilities (4 low, 6 moderate) - - To address all issues (including breaking changes), run: - npm audit fix --force - - Run `npm audit` for details. + found 0 vulnerabilities ``` 6. You've successfully integrated the TuxCare ELS for Angular repository into your project. @@ -486,7 +518,12 @@ const Angular19WithoutSSR = "@angular/platform-server": "npm:@els-js/angular-platform-server@18.2.13-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@18.2.13-tuxcare.1", "@angular/compiler-cli": "npm:@els-js/angular-compiler-cli@18.2.13-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "esbuild": "^0.25.0", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } }` const Angular18WithoutSSR = @@ -526,7 +563,12 @@ const Angular18WithoutSSR = "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@18.2.13-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@18.2.13-tuxcare.1", "@angular/compiler-cli": "npm:@els-js/angular-compiler-cli@18.2.13-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "esbuild": "^0.25.0", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } }` const Angular17WithSSR = @@ -559,7 +601,8 @@ const Angular17WithSSR = "karma-jasmine-html-reporter": "~2.1.0", "typescript": "~5.4.2" }, - "overrides": { + "overrides": + { "@angular/animations": "npm:@els-js/angular-animations@17.3.12-tuxcare.1", "@angular/common": "npm:@els-js/angular-common@17.3.12-tuxcare.1", "@angular/compiler": "npm:@els-js/angular-compiler@17.3.12-tuxcare.1", @@ -570,7 +613,14 @@ const Angular17WithSSR = "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@17.3.12-tuxcare.1", "@angular/platform-server": "npm:@els-js/angular-platform-server@17.3.12-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@17.3.12-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "esbuild": "0.25.0", + "webpack-dev-server": "5.2.1", + "http-proxy-middleware": "2.0.9", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } }` const Angular17WithoutSSR = @@ -600,7 +650,8 @@ const Angular17WithoutSSR = "karma-jasmine-html-reporter": "~2.1.0", "typescript": "~5.4.2" }, - "overrides": { + "overrides": + { "@angular/animations": "npm:@els-js/angular-animations@17.3.12-tuxcare.1", "@angular/common": "npm:@els-js/angular-common@17.3.12-tuxcare.1", "@angular/compiler": "npm:@els-js/angular-compiler@17.3.12-tuxcare.1", @@ -609,6 +660,13 @@ const Angular17WithoutSSR = "@angular/platform-browser": "npm:@els-js/angular-platform-browser@17.3.12-tuxcare.1", "@angular/platform-browser-dynamic": "npm:@els-js/angular-platform-browser-dynamic@17.3.12-tuxcare.1", "@angular/router": "npm:@els-js/angular-router@17.3.12-tuxcare.1", - "rxjs": "^7.4.0" + "rxjs": "^7.4.0", + "esbuild": "0.25.0", + "webpack-dev-server": "5.2.1", + "http-proxy-middleware": "2.0.9", + "tmp": "^0.2.4", + "*": { + "tmp": "^0.2.4" + } }` diff --git a/docs/els-for-runtimes-and-libraries/angularjs/README.md b/docs/els-for-runtimes-and-libraries/angularjs/README.md index e74bb731e..1a2494be4 100644 --- a/docs/els-for-runtimes-and-libraries/angularjs/README.md +++ b/docs/els-for-runtimes-and-libraries/angularjs/README.md @@ -109,7 +109,17 @@ TuxCare provides ELS for AngularJS as an NPM package, hosted on a secure interna -5. Run the following command to install ELS for AngularJS dependencies (token for the TuxCare repository will be automatically picked up from your .npmrc file): +5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands: + + + + ```text + rm -rf node_modules package-lock.json && npm cache clean --force + ``` + + + +6. Run the following command to install ELS for AngularJS dependencies (token for the TuxCare repository will be automatically picked up from your .npmrc file): @@ -127,25 +137,26 @@ TuxCare provides ELS for AngularJS as an NPM package, hosted on a secure interna found 0 vulnerabilities ``` -6. You've successfully integrated the TuxCare ELS for AngularJS repository into your project. +7. You've successfully integrated the TuxCare ELS for AngularJS repository into your project. ## Resolved CVEs Fixes for the following vulnerabilities are available in ELS for AngularJS from TuxCare versions: -| CVE ID | Severity | Vulnerable Version | Safe Version | -| --- | --- | --- | --- | -| CVE-2025-0716 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-8372 | Medium | >=1.3.0-rc.4 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-8373 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-21490 | High | >=1.3.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26118 | Medium | >=1.4.9 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26117 | Medium | >=1.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26116 | Medium | >=1.2.21 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2022-25869 | Medium | >=0.0.0| 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2022-25844 | Medium | >=1.7.0 | 1.7.9, 1.8.3 | -| CVE-2020-7676 | Medium | <1.8.0 | 1.5.11, 1.6.10, 1.7.9 | -| CVE-2019-10768 | Critical | <1.7.9 | 1.5.11, 1.6.10, 1.7.9 | +| CVE ID | Severity | Affected Libraries | Vulnerable Version | Safe Version | +| :------------: | :------: | :-----------------: | :----------------: | :----------: | +| CVE-2025-0716 | Medium | AngularJS | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-8372 | Medium | AngularJS | >=1.3.0-rc.4 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-8373 | Medium | AngularJS | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-21490 | High | AngularJS | >=1.3.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-33665 | Medium | Angular Translate | <2.19.1 | 2.19.1 | +| CVE-2023-26118 | Medium | AngularJS | >=1.4.9 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2023-26117 | Medium | AngularJS | >=1.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2023-26116 | Medium | AngularJS | >=1.2.21 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2022-25869 | Medium | AngularJS | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2022-25844 | Medium | AngularJS | >=1.7.0 | 1.7.9, 1.8.3 | +| CVE-2020-7676 | Medium | AngularJS | <1.8.0 | 1.5.11, 1.6.10, 1.7.9 | +| CVE-2019-10768 | Critical | AngularJS | <1.7.9 | 1.5.11, 1.6.10, 1.7.9 | If you are interested in the TuxCare Endless Lifecycle Support, contact [sales@tuxcare.com](mailto:sales@tuxcare.com). diff --git a/docs/els-for-runtimes-and-libraries/lodash/README.md b/docs/els-for-runtimes-and-libraries/lodash/README.md index 50a4acb4f..b3c0bfdcf 100644 --- a/docs/els-for-runtimes-and-libraries/lodash/README.md +++ b/docs/els-for-runtimes-and-libraries/lodash/README.md @@ -105,7 +105,17 @@ TuxCare provides ELS for Lodash as an NPM package, hosted on a secure internal r -5. Run the following command to install the ELS version of the Lodash library (token for the TuxCare repository will be automatically picked up from your `.npmrc` file): +5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands: + + + + ```text + rm -rf node_modules package-lock.json && npm cache clean --force + ``` + + + +6. Run the following command to install the ELS version of the Lodash library (token for the TuxCare repository will be automatically picked up from your `.npmrc` file): @@ -123,5 +133,10 @@ TuxCare provides ELS for Lodash as an NPM package, hosted on a secure internal r found 0 vulnerabilities ``` -6. You've successfully installed the Tuxcare ELS version of the Lodash library into your project. +7. You've successfully installed the Tuxcare ELS version of the Lodash library into your project. + +## Vulnerability Exploitability eXchange (VEX) + +VEX is a machine-readable format that tells you if a known vulnerability and is actually exploitable in your product. It reduces false positives, helps prioritize real risks. +TuxCare provides VEX for Lodash ELS versions: [security.tuxcare.com/vex/cyclonedx/els_lang_javascript/lodash/](https://security.tuxcare.com/vex/cyclonedx/els_lang_javascript/lodash/). From 4bd0a99de50091cc02b116407d90068a14222744 Mon Sep 17 00:00:00 2001 From: Sofia Boldyreva Date: Wed, 24 Sep 2025 15:56:01 +0200 Subject: [PATCH 2/3] Add how to update sections --- .../angular/README.md | 13 ++++++++++ .../angularjs/README.md | 25 +++++++++++++++++++ .../lodash/README.md | 25 +++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/docs/els-for-runtimes-and-libraries/angular/README.md b/docs/els-for-runtimes-and-libraries/angular/README.md index 1ba988adc..b1067f040 100644 --- a/docs/els-for-runtimes-and-libraries/angular/README.md +++ b/docs/els-for-runtimes-and-libraries/angular/README.md @@ -390,6 +390,19 @@ TuxCare provides ELS for Angular as an NPM package, hosted on a secure internal 6. You've successfully integrated the TuxCare ELS for Angular repository into your project. +## How to Upgrade to a Newer Version of TuxCare Packages + +If you have already installed a package with a `tuxcare.1` suffix and want to upgrade to a newer release (for example, `tuxcare.3`), you need to update the version string in your `package.json`, remove installed files and clear npm cache to avoid conflicts: + + + + ```text + rm -rf node_modules package-lock.json && npm cache clean --force + npm install + ``` + + + diff --git a/docs/els-for-runtimes-and-libraries/lodash/README.md b/docs/els-for-runtimes-and-libraries/lodash/README.md index d5515e964..26f7a9260 100644 --- a/docs/els-for-runtimes-and-libraries/lodash/README.md +++ b/docs/els-for-runtimes-and-libraries/lodash/README.md @@ -59,9 +59,6 @@ TuxCare provides ELS for Lodash as an NPM package, hosted on a secure internal r ```text "dependencies": { "lodash": "npm:@els-js/lodash@4.5.0-tuxcare.2" - }, - "overrides": { - "lodash": "npm:@els-js/lodash@4.5.0-tuxcare.2" } ``` @@ -76,9 +73,6 @@ TuxCare provides ELS for Lodash as an NPM package, hosted on a secure internal r ```text "dependencies": { "lodash": "npm:@els-js/lodash@4.17.15-tuxcare.2" - }, - "overrides": { - "lodash": "npm:@els-js/lodash@4.17.15-tuxcare.2" } ``` @@ -93,9 +87,6 @@ TuxCare provides ELS for Lodash as an NPM package, hosted on a secure internal r ```text "dependencies": { "lodash": "npm:@els-js/lodash@4.17.19-tuxcare.2" - }, - "overrides": { - "lodash": "npm:@els-js/lodash@4.17.19-tuxcare.2" } ```