NPM audit of Angular 13 project shows 17 high vulnerabilities

[caplogCode]

Current Behavior

npm audit is delivering high severity vulns because of async package dependency which have to be updated.

Steps to Reproduce

Install nrwl angular to version: 13.10.1 and run npm audit.
Dependecy Tree:

├─┬ @nrwl/angular@13.10.1
│ └─┬ @nrwl/devkit@13.10.1
│   └─┬ ejs@3.1.6
│     └─┬ jake@10.8.4
│       └── async@0.9.2

Failure Logs

$ npm audit
# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @nrwl/eslint-plugin-nx@11.1.5, which is a breaking change
node_modules/jake/node_modules/async
node_modules/portfinder/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @nrwl/devkit  *
      Depends on vulnerable versions of ejs
      node_modules/@nrwl/devkit
        @nrwl/angular  11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/linter
        Depends on vulnerable versions of @nrwl/storybook
        node_modules/@nrwl/angular
        @nrwl/cypress  8.0.0-alpha.1 - 8.0.0-rc.4 || 11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/linter
        Depends on vulnerable versions of @nrwl/workspace
        node_modules/@nrwl/cypress
        @nrwl/eslint-plugin-nx  11.0.0-beta.1 - 11.1.0-beta.4 || >=11.2.0-beta.1
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of @nrwl/workspace
        node_modules/@nrwl/eslint-plugin-nx
        @nrwl/jest  11.0.0-beta.1 - 999.9.9
        Depends on vulnerable versions of @nrwl/devkit
        node_modules/@nrwl/jest
          @nrwl/linter  11.2.0-beta.1 - 999.9.9
          Depends on vulnerable versions of @nrwl/devkit
          Depends on vulnerable versions of @nrwl/jest
          node_modules/@nrwl/linter
            @nrwl/storybook  >=11.0.0-beta.1
            Depends on vulnerable versions of @nrwl/devkit
            Depends on vulnerable versions of @nrwl/linter
            Depends on vulnerable versions of @nrwl/workspace
            node_modules/@nrwl/storybook
            @nrwl/workspace  11.0.0-beta.1 - 999.9.9
            Depends on vulnerable versions of @nrwl/devkit
            Depends on vulnerable versions of @nrwl/linter
            node_modules/@nrwl/workspace
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    http-server  >=0.8.0
    Depends on vulnerable versions of portfinder
    node_modules/http-server
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
        jest-preset-angular  9.0.0-next.0 - 9.0.4 || >=11.1.0
        Depends on vulnerable versions of @angular-devkit/build-angular
        node_modules/jest-preset-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

17 high severity vulnerabilities

Environment

nx report

NX Report complete - copy this into the issue template

Node : 16.13.2
OS : win32 x64
npm : 8.6.0

nx : 13.10.1
@nrwl/angular : 13.10.1
@nrwl/cypress : 13.10.1
@nrwl/detox : Not Found
@nrwl/devkit : 13.10.1
@nrwl/eslint-plugin-nx : 13.10.1
@nrwl/express : Not Found
@nrwl/jest : 13.10.1
@nrwl/js : Not Found
@nrwl/linter : 13.10.1
@nrwl/nest : Not Found
@nrwl/next : Not Found
@nrwl/node : Not Found
@nrwl/nx-cloud : Not Found
@nrwl/nx-plugin : Not Found
@nrwl/react : Not Found
@nrwl/react-native : Not Found
@nrwl/schematics : Not Found
@nrwl/storybook : 13.10.1
@nrwl/web : Not Found
@nrwl/workspace : 13.10.1
typescript : 4.6.3
rxjs : 7.5.5

Community plugins:
@fortawesome/angular-fontawesome: 0.10.2
@ngrx/component-store: 13.0.1
@ngrx/effects: 13.0.1
@ngrx/entity: 13.0.1
@ngrx/router-store: 13.0.1
@ngrx/store: 13.0.1
@ngrx/store-devtools: 13.0.1
@compodoc/compodoc: 1.1.19
@testing-library/angular: 11.0.4

[Cono52]

NPM audit is not very sophisticated in what it thinks is an actual vulnerability i.e. code running on a users device/a live servers vs just running locally or building in CI pipelines.

This blog post articulates some points on NPM audit quite well: https://overreacted.io/npm-audit-broken-by-design/

EDIT: Not saying to disregard the output completely.

[kek-Sec]

Can confirm the issue is on the async package - CVE-2021-43138
https://nvd.nist.gov/vuln/detail/CVE-2021-43138

@nrwl/cypress@13.10.2 requires async@^3.2.0 via a transitive dependency on getos@3.2.1
@nrwl/angular@13.10.2 requires async@^3.2.0 via a transitive dependency on getos@3.2.1
@nrwl/angular@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4
@nrwl/cypress@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4
@nrwl/eslint-plugin-nx@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4
@nrwl/jest@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4
@nrwl/linter@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4
@nrwl/workspace@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.4

[fbartho]

I'm running into this issue as well:

@nrwl/eslint-plugin-nx@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/express@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/jest@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/linter@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/node@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2
@nrwl/workspace@13.10.2 requires async@0.9.x via a transitive dependency on jake@10.8.2

• It looks like jake has already landed fixes for this into their repository.
• It looks like async has already landed fixes for this in 3.2.2: https://github.com/caolan/async/blob/master/CHANGELOG.md#v322

It's concerning that different @nrwl packages depend on vastly different versions of async. I think we're lucky that this didn't cause problems sooner.

[bojanbass]

Any update on this issue? It should be tackled with higher priority IMO.

[caplogCode]

Looks like async got an update. After running npm audit fix there is no vuln left for me.

[bojanbass]

1. if using yarn, there's no fix option
2. creating a fresh NX repo still has this vulnerability present
3. if there is @nrwl/storybook installed, there's a conflict when running npm audit fix

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: gid@0.0.0
npm ERR! Found: react@18.0.0
npm ERR! node_modules/react
npm ERR!   react@"18.0.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^16.8.0 || ^17.0.0" from @storybook/builder-webpack5@6.4.13
npm ERR! node_modules/@storybook/builder-webpack5
npm ERR!   dev @storybook/builder-webpack5@"6.4.13" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /Users/bojan/.npm/eresolve-report.txt for a full report.

[github-actions]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.