NPM Audit Failure = @angular-devkit/build-angular

[Adam-Kernig]

🐞 Bug report

Command (mark with an x)

• [ X ] new
• build
• serve
• test
• e2e
• generate
• add
• update
• lint
• xi18n
• run
• config
• help
• version
• doc

### Is this a regression?
no

### Description
Up to date NG CLI, creating a new project, npm audit strikes


## 🔬 Minimal Reproduction
Up to date NG CLI, creating a new project, npm audit strikes

## 🔥 Exception or Error
<pre><code>
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > node-sass > node-gyp > tar   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
</code></pre>


## 🌍 Your Environment
<pre><code>
Angular CLI: 7.3.8
Node: 10.15.0
OS: darwin x64
Angular: 
... 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.13.8
@angular-devkit/core         7.3.8
@angular-devkit/schematics   7.3.8
@schematics/angular          7.3.8
@schematics/update           0.13.8
rxjs                         6.3.3
typescript                   3.2.4
</code></pre>

**Anything else relevant?**
Nothing further

[alan-agius4]

Hi, thanks for reporting this, however this is caused by an upstream package and will be fixed when they release a new version nodejs/node-gyp#1714

[spp125]

I am having the same issue.

[cap-akimrey]

v4.4.8 was just released.

[chet-manley]

Looks like node-gyp already took care of it.
nodejs/node-gyp#1713

[Adam-Kernig]

Im guessing with it now being resolved we can expect this in the next release?

[HansITChange]

Building a new app still generates the same error

[alan-agius4]

node-sass are using an older version of node-gyp. hence we are still blocked on this.

See: sass/node-sass#2625

[ignaciorecuerda]

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

[Adam-Kernig]

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

Do NOT manually edit the lock file.

[Adam-Kernig]

This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me

Do NOT manually edit the lock file.

Then how should it be done?

Wait till sass is updated and give the angular chaps time, it's friday (for us anyway) We aren't releasing this weekend.

The Angular guys are extremely quick at resolving issues, patience is key.

[lenichols]

+1

[cbutton01]

I am also having this issue, any news on an update?

[michalmotorola]

I also have this problem. We wait few days with merges.

[Hallight]

Any update on this?

[alan-agius4]

Hi all, node-sass have yet to fix the issue see: sass/node-sass#2625
At this point we are blocked until they do the fix and cut a release.

[subhashkonda]

Our CI pipe lines throwing this vulnerability, so what is ETA of this Issue?

[STheFox]

The solution of this question solved my problem too, but don't know how safe/recommended is it?
https://stackoverflow.com/questions/55635378/npm-audit-arbitrary-file-overwrite/55649551#55649551

This is not the way to do it. Manually editing the package-lock.json file to fix the dependency version seems like a quick fix but it's not the right fix since the package-lock file will be overwritten when you run a npm install again. Guess we should wait on the devs to bump up the dependency version of node-sass and then update this package.

[pablocid]

any updates?

[pablocid]

any updates?

[isamrish]

any updates? cannot wait for the right solution.

[pl4yradam]

sass/node-sass#2639

[art3miz18]

still waiting for an apropriate solution :(

[subhashkonda]

Any ETA on this as our CI builds complain about this vulnerability.

[MacGyver214-zz]

@subhashkonda @art3miz18 @pl4yradam @isamrish @pablocid I think it's safe to say if you still see the blocked tag on this issue, they are unable to execute work to fix it. Keep an eye on the fixes this work is dependent on, it's all been documented above what is needed for the Angular team to do what they need to do.

[pl4yradam]

@macgyver214 im not sure why I have been tagged as I was providing a link to the issue?

[franciscojsr]

Hi! It's gonna be fix this issue soon? Thanks!
Angular-cli messages code errors not showing becouse this issue.

[AlanCrevon]

For those wondering why fixing this issue takes so long, have a look at isaacs/node-tar#213 : they are facing a corner case where updating a library might cause more problems than leaving the security breach open.

Let’s hope someone will find a way to solve this. :)

[michel-jump]

New version of tar just has been released:
isaacs/node-tar#212 (comment)

Node-sass:
sass/node-sass#2625 (comment)

[alan-agius4]

Closing the issue as this seems to have been fixed upstream without the need to do any changes from our side.

[pl4yradam]

Confirmed. I have tried it this morning.

…

On Thu, 16 May 2019, 08:54 Alan Agius, ***@***.***> wrote: Closed #14138 <#14138>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14138?email_source=notifications&email_token=AFL4VWS2655UUA5BLNANFI3PVUHLVA5CNFSM4HFG33BKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGORPHEIBY#event-2345550855>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFL4VWQBGI7PW573AOQHNUTPVUHLVANCNFSM4HFG33BA> .

[franciscojsr]

Yes! I just did: npm audit fix and solved!

[subhashkonda]

Npm audit fix fixed all issues in my local, but I still see in my CI build showing the tar 2.2.2 high vulnerability. Do you see the issue is still open or is this seems to be my CI Build specific.
Does anyone facing the same ?

[ShahanaFarooqui]

@subhashkonda i am also facing the same issue with github. Veulnerability fixed on my local but Github still shows it vulnerable. They might need some more time to update their audit list :).

[xaviergxf]

@alan-agius4 do you know when the dependency will be updated, and a new version of @angular-devkit/build-angular will be released on version 7 (stable)?

[salah3x]

@xaviergxf, I don't think they need a new release for this issue since it's been fixed upstream.

[alan-agius4]

Indeed no release is needed from our side.

[weidenhaus]

27 May 2019 - Still facing the same issue when creating new Angular project via CLI - 12 high vulnerabilities found.

The following solved it for me:

npm i -D node-sass node-pre-gyp node-gyp tar

[subhashkonda]

I still have this same issue in CI Builds but in local it is all fine npm audit gives 0 vulnerabilities, So what can be done here???

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}