Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@nrwl/webpack depends on loader-utils 1.2.3 which has known vulnerabilities #12733

Closed
oestrogen opened this issue Oct 20, 2022 · 8 comments
Closed

@nrwl/webpack depends on loader-utils 1.2.3 which has known vulnerabilities #12733

oestrogen opened this issue Oct 20, 2022 · 8 comments
Labels
outdated scope: bundlers Issues related to webpack, rollup type: bug

Comments

@oestrogen
Copy link

Both version 1 and 2 of loader-utils have known vulnerabilities.

https://nvd.nist.gov/vuln/detail/CVE-2022-37601
https://nvd.nist.gov/vuln/detail/CVE-2022-37603

Version 3 of loader-utils should be used instead.
@FrozenPandaz FrozenPandaz added the scope: bundlers Issues related to webpack, rollup label Oct 26, 2022
@METACEO
Copy link

METACEO commented Oct 27, 2022

My client's Whitesource scan has brought me here 🙂 would love to consume the fix and validate!

@bfoese
Copy link

bfoese commented Nov 3, 2022

The vulnerabilities have been fixedin loader-utils@2.0.3 (however, the maintainer encourages to move on to version 3). I wanted to create a PR to migrate Nx to use this version, but even with no changes to the repo the tests break on my local machine, so I wouldn't be able to verify my changes.

@METACEO To temporarily fix your clients pipeline scan, you could enforce the fixed version, by adding this to package.json of the project, until Nx fixed this upgrade request:

"overrides": {
    "loader-utils@<=2.0.3": "2.0.3"
  }

But make sure to properly test the application afterwards.

@naticaceres
Copy link

naticaceres commented Nov 14, 2022
edited

the overrides package.json tag does not work for npm <8.3.0
consequentially, ...and angular v14 doesn't work with npm >8.1.2 (source shows node version, that can be cross matched here to the npm version.)

I managed to get my package-lock.json to actually use loader-utils >= 2.0.3 (following this guide https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d)

but then I cannot run nx serve myapp, it fails with this error
> NX ajvKeywords is not a function

I wasted my morning looking into this :/ and I'm running out of ideas.

adding loader-utils directly in my dependencies didn't work either.
moving the nrwl/webpack loader-utils dependency version to be 2.0.3 in my package-lock.json always ends up resolving in my project not building, regardless of how that change made it there (using npm >8.3.0 and override, or using npm-force-resolutions or manually going in)

Edit1: wording and sources.

@naticaceres
Copy link

ok, I got this working.

for context, I have a project with

nx 14.8.6
angular 14.2.3
npm 8.1.2
node 16.13.2

what I did was: following this guide here (also linked in my previous comment)

  • installed loader-utils@1.4.2, which is the closest version to the one nrwl/webpack@14.8.6 uses that has no vulnerabilities according to snyk.io. - I did not install this with the --save-dev flag as indicated in the article I linked, bc I don't want this to be a direct dependency for my project.
  • added a new tag in my package.json:
{
"resolutions": {
      "loader-utils": "~1.4.2"
  }
}

If you are in the same boat, make sure to follow the guide I linked. You need to add a preinstall script for this to work:
"preinstall": "npx npm-force-resolutions"

Afterwards, I was able to serve my app without any issues, verify the correct version of loader-utils is being used in the dependency tree running npm list loader-utils, and validate the security vulnerability was fixed using npm audit.

@naticaceres
Copy link

there is a merged PR here that is bumping the loader-utils version for nx to the recommended one.
However I don't know which versions get that upgrade.
I will try to update this comment with that as I find out.
I think I already saw this in v15 :/ which is not optimal, as it is a major version with potentially breaking changes, and the corresponding angular version is still not out.

@AgentEnder
Copy link
Member

I'm going to close this out since it has been fixed.

The fix is included in v15.1.0.

@naticaceres Nx major version !== Angular major version, although they do tend to line up generally. You should be free to update to v15 of Nx, there weren't many breaking changes and none that were major that I remember. https://nx.dev/angular-nx-version-matrix

@naticaceres
Copy link

this is interesting, thank you for your prompt answer @AgentEnder

I tried using nx@15.1.0 in my project and sadly it introduces a high number of breaking changes.
I updated to v15 runing nx migrate 15.1.0 and following the steps. As you anticipated, it only upgraded the nx versions but didn't touch any angular version.

The removal of DataPersistence is a big breaking change for my code base, among other dozens of build errors I am getting now (this is a large codebase with 4 angular apps and 100s of libraries).

sadly for me (and for the rest of us using nx14 or previous versions) this is not providing a valid official solution.

if you have other ideas or if I can help I'd love to try.

image

@github-actions
Copy link

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated scope: bundlers Issues related to webpack, rollup type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@oestrogen @bfoese @AgentEnder @FrozenPandaz @naticaceres @METACEO