npm audit async

[dertuerke]

installed version "@angular-eslint/builder": "13.2.0",

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @angular-eslint/builder@12.2.1, which is a breaking change
node_modules/async
node_modules/portfinder/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @nrwl/devkit  *
      Depends on vulnerable versions of ejs
      node_modules/@nrwl/devkit
        @angular-eslint/builder  >=12.2.2-alpha.0
        Depends on vulnerable versions of @nrwl/devkit
        node_modules/@angular-eslint/builder
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular

[dennisrathinam]

npm audit report finds the below, how to fix this? It says "no fix available" so my attempt to do an auto fix by $npm audit fix --force didn't help.

# npm audit report
async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

5 high severity vulnerabilities

[matiukhov]

Same problem. Helped for me:
npm audit --production
But after install another dependency - problem come back

[dvalley56]

Same happened with me today after installing a library. Removing it, deleting node_modules and package lock file didn't helped.

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

5 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Would be glad if someone helped.

[emiliohell]

Same with a completely new angular project with fully updated packages.

[JamesHenry]

We need to distinguish what's going on here.

The OP is reporting angular-eslint v12, which is not the current major version of this project.

The vulnerability related to async is present in brand new Angular CLI workspaces without any involvement from angular-eslint at all, because as seen on these reports it is originating from @angular-devkit/build-webpack:

Please kindly report this to the Angular CLI folks. I will leave this open for now for visibility

[Frtrillo]

Have same issue. Got angular eslint v13.0.1 installed but wants to install eslint v12 to fix it:

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @angular-eslint/builder@12.2.1, which is a breaking change
node_modules/jake/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @nrwl/devkit  *
      Depends on vulnerable versions of ejs
      node_modules/@nrwl/devkit
        @angular-eslint/builder  >=12.2.2-alpha.0
        Depends on vulnerable versions of @nrwl/devkit
        node_modules/@angular-eslint/builder

5 high severity vulnerabilities

[trazeris]

EDIT: actually this is more an issue with ejs/jake which nrwl/devkit is dependent on.
See mde/ejs#659 jakejs/jake#406 and jakejs/jake#411

Hi!
I don't know for the brand new Angular CLI but the vulnerability is really present in the current version of angular-eslint.

In master package.json :
"@nrwl/devkit": "13.9.7",
Also in angular-eslint/builder it is an older version still, with the same pb
"@nrwl/devkit": "13.1.3"

In nrwl/devkit package.json @ 13.9.7, same for @13.1.3:
"ejs": "^3.1.5",

In ejs@3.1.5
"jake": "^10.6.1"

In jake@10.6.1
"async": "0.9.x"

async version 0.9.x will be reported by npm audit as OP reported.

[PeterHewat]

We need to distinguish what's going on here.

The OP is reporting angular-eslint v12, which is not the current major version of this project.

Hi @JamesHenry ,
No, OP is not reporting angular-eslint v12. @dertuerke has installed v13 and it is the audit fix that suggests to downgrade a major version to "fix" this issue. And as @trazeris mentioned, it all boils down to a vulnerability in a dependency of a dependency:
@angular-eslint/builder@13.2.1 => @nrwl/devkit@13.1.3 => ejs@3.1.6 => jake@10.8.4 => async@0.9.2

All versions of async have a Prototype Pollution high vulnerability that has been fixed in 3.2.2

It is up to jake to update their dependency on async cf. #406 #408

[webdevelopland]

Jake fixed the vulnerability 6 days ago: jakejs/jake#408
Also nrwl & ejs too
nrwl: nrwl/nx#9818
ejs: mde/ejs#668
Is it fixed for angular-eslint too?

[webdevelopland]

npm audit fix fixes it

[JamesHenry]

angular-eslint v14.0.0 was just published and is available on npm and does not contain any negative results from npm audit

Please check out the release notes for guidance: https://github.com/angular-eslint/angular-eslint/releases/tag/v14.0.0

Many thanks 🙏