6

I am getting one of the High vulnerability in angular project is 'Uncontrolled Resource Consumption in ansi-html'. enter image description here

I have got few more such type of High vulnerabilities but those are fixed by adding 'resolutions' section under package.json file and under scripts section added "preinstall": "npx npm-force-resolutions". Which I had fixed those vulnerabilities came Patched in with version like 'Patched in │ >=4.0.1 ' . But this this came with 'No patch available'. So I am getting bit confuse to fix this. Does anyone have idea, how to fix this? Thanks

Jayden
  • 273
  • 2
  • 6
  • 16

3 Answers3

9

If you aren't using ansi-html directly but rely on dependencies that use it, you should instead set up a resolutions section in package.json. (You should never edit package-lock.json directly since it is regenerated every time you run npm install). You just need to provide a link to the tarball where you would normally specify the overriding version number. Your resolutions section of package.json should look like this:

"resolutions": {
    "ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
}

Please refer to this post for more details:

How to override a nested npm sub-dependency with a different package altogether (not just different package version number)?

Justin Dehorty
  • 1,383
  • 1
  • 15
  • 26
0

Uncontrolled Resource Consumption in ansi-html (CVE-2021-23424) is a vulnerability that won’t be fixed by the project’s author, since it’s been abandoned and there won’t be a patched version of ansi-html.

You just have to go to package-lock.json and find the line with:

"ansi-html": {
  "version": "0.0.7",
  "resolved": "https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz",
  "integrity": "sha1-gTWEAhliqenm/QOflA0S9WynhZ4="

And replace with this:

"ansi-html-community": {
  "version": "0.0.8",
  "resolved": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz",
  "integrity": "sha512-1APHAyr3+PCamwNw3bXCPp4HFLONZt/yIH0sZp0/469KWNTEy+qN5jQ3GVX6DMZ1UXAi34yVwtTeaG/HpBuuzw=="

And this line in the same file:

"dependencies": {
    "ansi-html": "^0.0.7",

Replace with:

"dependencies": {
    "ansi-html-community": "^0.0.8",

Then just type npm update and thats it.

You can get more info in this link.

And check the entire commit here.

Fernand Diaz
  • 25
  • 3
  • 5
    You should never edit `package-lock.json` directly. Changes will be lost every time `npm install` is run, which is inconvenient and can lead to unexpected behavior. `npm-force-resolutions` should be used instead as a temporary fix until the maintainers of the dependencies you are using update their packages to use `ansi-html-community`. – Justin Dehorty Oct 26 '21 at 16:19
0

Updating your Angular to the latest version (Angular 13 is the latest version for now) will solve your problem! Cheers!

Alexander Gvozd
  • 121
  • 1
  • 6
  • I still have the same errors on my `npm audit` even though I'm updated to Angular 13 – Aion Nov 19 '21 at 13:23
  • Interesting... If you updated correctly (use [link](https://update.angular.io) for it please), you have `"ansi-html-community": "^0.0.8"` (not "ansi-html" version:0.0.7) in your package-lock.json. So, in your case, remove node-modules folder, package-lock.json and do 'npm install'. – Alexander Gvozd Nov 19 '21 at 17:11