2

I have already run "npm audit fix", I have been ignoring the warnings but it was still running well. Now, it just won't run.

I'm working with Angular, the latest version. It is telling me that I might need to choose different dependencies. How do I do this manually? Apparently, because running suggested commands won't fix the issue.

Thanks.

# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
No fix available
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.1.0
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server
    @angular-devkit/build-angular  <=13.0.0-next.3
    Depends on vulnerable versions of @angular-devkit/build-webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@angular-devkit/build-angular
    @angular-devkit/build-webpack  <=0.1300.0-next.2
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@angular-devkit/build-webpack

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
No fix available
node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/webpack-dev-server/node_modules/cliui/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/strip-ansi
  node_modules/wide-align/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/webpack-dev-server/node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/webpack-dev-server/node_modules/yargs
        webpack-dev-server  2.0.0-beta - 4.1.0
        Depends on vulnerable versions of ansi-html
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
          @angular-devkit/build-angular  <=13.0.0-next.3
          Depends on vulnerable versions of @angular-devkit/build-webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/@angular-devkit/build-angular
          @angular-devkit/build-webpack  <=0.1300.0-next.2
          Depends on vulnerable versions of webpack-dev-server
          node_modules/@angular-devkit/build-webpack
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/webpack-dev-server/node_modules/string-width
    node_modules/wide-align/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/webpack-dev-server/node_modules/wrap-ansi

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.0.0-beta - 4.1.0
    Depends on vulnerable versions of ansi-html
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  <=13.0.0-next.3
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  <=0.1300.0-next.2
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
No fix available
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/http-proxy-middleware/node_modules/braces
        node_modules/webpack-dev-server/node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/webpack-dev-server/node_modules/chokidar
            webpack-dev-server  2.0.0-beta - 4.1.0
            Depends on vulnerable versions of ansi-html
            Depends on vulnerable versions of chokidar
            Depends on vulnerable versions of http-proxy-middleware
            Depends on vulnerable versions of yargs
            node_modules/webpack-dev-server
              @angular-devkit/build-angular  <=13.0.0-next.3
              Depends on vulnerable versions of @angular-devkit/build-webpack
              Depends on vulnerable versions of webpack-dev-server
              node_modules/@angular-devkit/build-angular
              @angular-devkit/build-webpack  <=0.1300.0-next.2
              Depends on vulnerable versions of webpack-dev-server
              node_modules/@angular-devkit/build-webpack
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/http-proxy-middleware/node_modules/micromatch
        node_modules/webpack-dev-server/node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/webpack-dev-server/node_modules/anymatch
          http-proxy-middleware  0.18.0 - 0.19.2
          Depends on vulnerable versions of micromatch
          node_modules/http-proxy-middleware
          readdirp  2.2.0 - 2.2.1
          Depends on vulnerable versions of micromatch
          node_modules/webpack-dev-server/node_modules/readdirp
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

25 vulnerabilities (6 moderate, 19 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.
franfonse
  • 189
  • 1
  • 3
  • 10

1 Answers1

0

For the high-severity ansi-html vulnerability, you can try following the procedure outlined here:

How to override a nested npm sub-dependency with a different package altogether (not just different package version number)?

In general, that approach could be used to resolve many of the security vulnerabilities that appear in your error message, and most of the time, you would just need to specify the updated version number in the resolutions section of package.json.

Justin Dehorty
  • 1,383
  • 1
  • 15
  • 26