Angular 12 upgradation issue related to css-what version inside package @angular-devkit/builder-angular

[imamhulagur]

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
I am on the way to upgrade my Angular project. I have followed all the steps mentioned here https://update.angular.io/. After that am able to resolve all the issues except one high related to @angular-devkit/builder-angular.

This is issue

High Denial of Service

Package css-what

Patched in >=5.0.1

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > css-minimizer-webpack-plugin
> cssnano > cssnano-preset-default > postcss-svgo > svgo >
css-select > css-what
found 3 vulnerabilities (2 moderate, 1 high) in 1651 scanned packages
3 vulnerabilities require manual review. See the full report for details.

I have tried updating using all the version @angular-devkit/builder-angular available, but no luck. You can see some of the version which i have tried below.

-- @angular-devkit/build-angular@12.0.2 -- css-minimizer-webpack-plugin@3.0.0
-- cssnano@5.0.6 -- cssnano-preset-default@5.1.3
-- postcss-svgo@5.0.2 -- svgo@2.3.0
-- css-select@3.1.2 -- css-what@4.0.0

-- @angular-devkit/build-angular@12.0.5 -- css-minimizer-webpack-plugin@3.0.0
-- cssnano@5.0.6 -- cssnano-preset-default@5.1.3
-- postcss-svgo@5.0.2 -- svgo@2.3.0
-- css-select@3.1.2 -- css-what@4.0.0

-- @angular-devkit/build-angular@12.1.0-next.6 -- css-minimizer-webpack-plugin@3.0.1
-- cssnano@5.0.6 -- cssnano-preset-default@5.1.3
-- postcss-svgo@5.0.2 -- svgo@2.3.0
-- css-select@3.1.2 -- css-what@4.0.0

In above @angular-devkit/build-angular is excepting css-what version should be >= 5.0.1 which I am not able to find.

Which version of @angular-devkit/builder-angular@? i need to install so that css-what >= 5.0.1 . Then only that high get resolve.

FYI
Node version - v12.18.2
npm - 6.14.5
"dependencies": {
"@angular-devkit/core": "^12.0.2",
"@angular/animations": "^12.0.2",
"@angular/common": "^12.0.2",
"@angular/compiler": "^12.0.2",
"@angular/core": "^12.0.2",
"@angular/forms": "^12.0.2",
"@angular/localize": "^12.0.2",
"@angular/platform-browser": "^12.0.2",
"@angular/platform-browser-dynamic": "^12.0.2",
"@angular/platform-server": "^12.0.2",
"@angular/router": "^12.0.2",
"@angular/service-worker": "^12.0.2",
"@fortawesome/fontawesome-free": "^5.15.3",
"@ng-bootstrap/ng-bootstrap": "^9.1.2",
"@ng-select/ng-select": "^5.1.0",
"@ngrx/store-devtools": "^6.1.0",
"ag-grid": "^18.1.2",
"ag-grid-angular": "^18.1.0",
"ag-grid-community": "^19.0.0",
"angular2-text-mask": "^9.0.0",
"autoprefixer": "^10.2.6",
"classlist.js": "^1.1.20150312",
"compass-mixins": "^0.12.10",
"core-js": "^2.6.12",
"jquery": "^3.6.0",
"moment": "^2.29.1",
"ng6-toastr": "^6.0.0",
"ngx-bootstrap": "^6.2.0",
"ngx-moment": "^3.2.0",
"ngx-spinner": "^6.1.2",
"ngx-toastr": "^14.0.0",
"postcss-scss": "^3.0.5",
"rxjs": "^6.6.7",
"rxjs-compat": "^6.6.7",
"zone.js": "^0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^12.1.0-next.6",
"@angular/cli": "^12.0.2",
"@angular/compiler-cli": "^12.0.2",
"@angular/language-service": "^12.0.2",
"@ngrx/store": "^12.1.0",
"@types/jasmine": "^3.7.6",
"@types/jasminewd2": "^2.0.9",
"@types/node": "^15.6.1",
"codelyzer": "^6.0.2",
"jasmine-core": "^3.7.1",
"jasmine-spec-reporter": "^7.0.0",
"jspm": "^0.16.53",
"karma": "^6.3.3",
"karma-chrome-launcher": "^3.1.0",
"karma-coverage-istanbul-reporter": "^3.0.3",
"karma-jasmine": "^4.0.1",
"karma-jasmine-html-reporter": "^1.6.0",
"protractor": "^7.0.0",
"ts-node": "^8.3.0",
"tslint": "^6.1.0",
"typescript": "^4.2.4"
},

[alan-agius4]

This is not actionable from our end.

Please follow svg/svgo#1488.

[aseques]

Hi @alan-agius4 this seems to be resolved now on svgo's side, the relevant bug is now on cssnano (already merged on master and only needs tagging), relevant information is here
I hope you can update your dependencies when it's tagged.

Regards

[clydin]

@aseques Based on the existing SemVer range for svgo in cssnano of ^2.3.0, the corrected version should already be available for use. A newly generated 12.1.0 CLI project, for instance, no longer contains the audit vulnerability. Existing projects should be able to use npm audit fix. If that does not solve the issue, removing both the node_modules directory and the package lock file followed by a fresh install, should resolve the problem.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}