Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM audit reports denial of service vulnerability in http-proxy #737

Closed
trevoreyre opened this issue May 15, 2020 · 1 comment
Closed

NPM audit reports denial of service vulnerability in http-proxy #737

trevoreyre opened this issue May 15, 2020 · 1 comment

Comments

@trevoreyre
Copy link

trevoreyre commented May 15, 2020
edited

Describe the Bug

npm audit reports a high severity denial of service vulnerability in the http-proxy dependency.

This is in the @angular-devkit/build-angular dependency. http-proxy is a downstream dependency of webpack-dev-server.

Minimal Reproduction

> npm i -D @angular-builders/custom-webpack
> npm audit

                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Denial of Service                                             
                                                                                
  Package         http-proxy                                                    
                                                                                
  Patched in      No patch available                                            
                                                                                
  Dependency of   @angular-builders/custom-webpack [dev]                        
                                                                                
  Path            @angular-builders/custom-webpack >                            
                  @angular-devkit/build-angular > webpack-dev-server >          
                  http-proxy-middleware > http-proxy                            
                                                                                
  More info       https://npmjs.com/advisories/1486

Expected Behavior

npm audit reports no vulnerabilities

Environment


Libs
- @angular/core version: 9.1.0
- @angular-devkit/build-angular version: 0.901.6
- @angular-builders/custom-webpack version: 9.1.0

Additional Context

npm advisory: https://npmjs.com/advisories/1486

Related issues:
http-proxy: http-party/node-http-proxy#1446
webpack-dev-server: webpack/webpack-dev-server#2605
angular-cli: angular/angular-cli#17738
@just-jeb
Copy link
Owner

just-jeb commented May 18, 2020
edited

Seems like there is a corresponding issue in Angular CLI. I don't think I can do something about this...
In fact the issue should be fixed in webpack-dev-server and the dependency of Angular CLI should be updated. Once it's done it will be fixed in the builder automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trevoreyre @just-jeb