14

npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

More info https://npmjs.com/advisories/1432

High Command Injection

Package tree-kill

Patched in >=1.2.2

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > tree-kill

More info https://npmjs.com/advisories/1432

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?

Nemus
  • 1,322
  • 2
  • 23
  • 47

8 Answers8

15

You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

Just do the following steps:

  1. Update your package.json file by adding resolutions section with proper version of package tree-kill:
"resolutions": {
  "tree-kill": "1.2.2"
}
  1. Update your package-lock.json by running command:
npx npm-force-resolutions
  1. Reinstall NPM packages in your project:
rm -r node_modules
npm install

Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

More information about NPM Force Resolutions.

Yuri Beliakov
  • 623
  • 7
  • 23
9

I was having the same problem today and I fixed it by:

  1. delete the tree-kill package from the node_modules folder.
  2. delete the package-lock.json file.
  3. go to the @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
  4. go to @ngtools/webpack folder in the node_modules folder and do the same as step 3.

run npm install after that.

saleem
  • 123
  • 1
  • 4
  • 1
    So by this fix, I have to keep node_modules folder with Git right? – Loki Jan 13 '20 at 12:52
  • I am not sure if I got your question right, but you need to commit the new changes after the new installation. – saleem Jan 13 '20 at 16:48
  • 2
    edit manually your dependencies is not a good idea, as doing a new installation of the project will represent the issue – Nemus Jan 16 '20 at 19:14
  • @Loki no! node_modules is a compilation of all binaries from dependencies. Much like the .m2/repository folder for Maven. The codebase does not need it and NPM _should_ resolve dependencies for every person cloning the repo. That's why you keep the package.json (and the package-lock when you run a dependency scanner, like in github). Also, creating an unsupported mod of the dependency seems like a recipe for disaster once you update Angular, clone it on another place, etc. – Alfabravo Jun 15 '23 at 21:24
3

I just had this problem too and after some researchs, i found something:

NPM throws error on "audit fix" - Configured registry is not supported

Of course, it's about an other problem but, by adapting the solution given there, it resolved my problem.

So :

  • Delete the node_modules folder of tree-kill
  • Edit package-lock.json file like it's done but with tree-kill module instead.
  • Don't forget to run npm install at the end

I hope i've been clear enough.

archelite
  • 174
  • 1
  • 12
  • How could I edit the package-lock.json in the second step if it was supposed to be deleted when deleting the node_modules folder of tree-kill in the step 1? – Mauricio Martinez Jan 13 '20 at 13:33
2

Check the GitHub repo to see if a fix is being worked on. I found this issue: https://github.com/angular/angular-cli/issues/16629 and a pull request (https://github.com/angular/angular-cli/pull/15894) which removes the dependency.

Peter G
  • 69
  • 4
1

Add below code to package.json 

"resolutions": {
"tree-kill":"1.2.2"
}

Remove all node modules:

rm -r node_modules

Update package-lock.json for new version 1.2.2 as :

npx npm-force-resolutions

Now install node modules:

npm install

This works for me.

rohit
  • 348
  • 3
  • 11
0

  1. Remove the tree-kill package from the node_modules folder & Delete
    the package-lock.json file.

  2. Find @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
    Find @ngtools/webpack in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2

  3. run npm install.
sam0606
  • 21
  • 1
  • 3
0

Update your @angular-devkit/build-angular version in package.json to below:

"@angular-devkit/build-angular": "0.13.10"

It worked for me.

Tarun Majumder
  • 59
  • 7
0

Deleting node_modules and reinstalling helps without any issues.

sunil
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 08 '23 at 05:04