Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serialize-javascript high vulnerability #261

Closed
moridianmess opened this issue Aug 12, 2020 · 7 comments · Fixed by #263
Closed

serialize-javascript high vulnerability #261

moridianmess opened this issue Aug 12, 2020 · 7 comments · Fixed by #263
Labels
released

Comments

@moridianmess
Copy link

Are there any plans to update serialize-javascript in the near future? As I'm getting a high vulnerability on NPM as of today.

  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   @ionic/angular-toolkit [dev]

  Path            @ionic/angular-toolkit > copy-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1548

found 1 vulnerabilities (1 high) in 1570 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Thanks in advance
@kalemteknoloji
Copy link

i have same problem

@valeriaraffa
Copy link

I have the same problem. Do I need the 'angular-toolkit' in an ionic 5 Angular 10, capacitor iOS and Android App?

@bkarv
Copy link

bkarv commented Aug 13, 2020

Yes same here, Ionic info below. Tried doing audit fix but it breaks the compiler (JS out memory)

Ionic:

   Ionic CLI                     : 6.10.0 (/usr/local/lib/node_modules/@ionic/cli)
   Ionic Framework               : @ionic/angular 5.3.1
   @angular-devkit/build-angular : 0.901.7
   @angular-devkit/schematics    : 9.1.7
   @angular/cli                  : 9.1.7
   @ionic/angular-toolkit        : 2.2.0

@WaseemRakab
Copy link

WaseemRakab commented Aug 13, 2020
edited

same issue here..

@edn9
Copy link

edn9 commented Aug 15, 2020
edited

Same issue here.

Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Remote Code Execution                                         

  Package         serialize-javascript                                          

  Patched in      >=3.1.0                                                       

  Dependency of   @ionic/angular-toolkit [dev]                                  

  Path            @ionic/angular-toolkit > copy-webpack-plugin >                
                  serialize-javascript                                          

  More info       https://npmjs.com/advisories/1548                             

found 2 vulnerabilities (1 low, 1 high) in 1753 scanned packages
  1 vulnerability requires semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

Ionic Info

Ionic:

   Ionic CLI                     : 6.11.0 (C:\Users\dev\AppData\Roaming\npm\node_modules\@ionic\cli)
   Ionic Framework               : @ionic/angular 5.1.1
   @angular-devkit/build-angular : 0.901.12
   @angular-devkit/schematics    : 9.1.7
   @angular/cli                  : 9.1.12
   @ionic/angular-toolkit        : 2.2.0

Capacitor:

   Capacitor CLI   : 2.4.0
   @capacitor/core : 2.4.0

Utility:

   cordova-res : not installed
   native-run  : not installed

System:

   NodeJS : v12.18.3 (C:\Program Files\nodejs\node.exe)
   npm    : 6.14.6
   OS     : Windows 10

The weird thing is, the serialize say it's using the version 4.0.0, I dont know if I understand correctly:

serialize

mhartington added a commit that referenced this issue Aug 19, 2020
@mhartington
fix(deps): update deps for security vulnerabilities
cb8ad32 
Update various deps to validate npm audit

fix #261
@mhartington mhartington mentioned this issue Aug 19, 2020
Merged
@mhartington
Copy link
Member

Thanks for the heads up! Reviewing the changes and have the fix in a PR

mhartington added a commit that referenced this issue Aug 19, 2020
@mhartington
fix(deps): update deps for security vulnerabilities (#263)
f0e514d 
* fix(deps): update deps for security vulnerabilities

Update various deps to validate npm audit

fix #261

* chore(deps): dont ignore package-lock
Ionitron added a commit that referenced this issue Aug 19, 2020
@Ionitron
chore(release): 2.3.1 [skip ci]
4b6a66b 
## [2.3.1](v2.3.0...v2.3.1) (2020-08-19)

### Bug Fixes

* **deps:** update deps for security vulnerabilities ([#263](#263)) ([f0e514d](f0e514d)), closes [#261](#261)
@Ionitron
Copy link
Collaborator

🎉 This issue has been resolved in version 2.3.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

wand1252 added a commit to wand1252/angular-toolkit-develop that referenced this issue Aug 31, 2022
@wand1252
chore(release): 2.3.1 [skip ci]
dd8f89c 
## [2.3.1](ionic-team/angular-toolkit@v2.3.0...v2.3.1) (2020-08-19)

### Bug Fixes

* **deps:** update deps for security vulnerabilities ([#263](ionic-team/angular-toolkit#263)) ([f0e514d](ionic-team/angular-toolkit@f0e514d)), closes [#261](ionic-team/angular-toolkit#261)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): update deps for security vulnerabilities ionic-team/angular-toolkit
8 participants
@mhartington @moridianmess @Ionitron @bkarv @edn9 @valeriaraffa @WaseemRakab @kalemteknoloji