Angular Cli giving vulnerability error

[isurendrasingh]

Versions

Angular CLI: 6.0.1
Node: 8.11.1
OS: win32 x64

Observed behavior

Desired behavior

Fix this

Mention any other details that might be useful (optional)

Tried these things, but nothing worked:

1. Uninstalling & installing cli.
2. using npm cache verify & npm cache clean --force
3. Uninstalling & installing nodejs.
4. Using npm audit.

[Santhosh25]

Is it your machine having Git installed ?
It seems like git is not configured properly.

[isurendrasingh]

@Santhosh25 no git is not installed. But it is not compulsory to install git if working with Angular.

[amilbeck]

I'm having this same issue right now. Here are the packages it's complaining about. Tried installing karma v2.0.2 as it suggested and ended up with even more vulnerabilites than the original warning.

λ npm audit

                       === npm audit security report ===



# Run `npm install [email protected]` to resolve 12 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534


  low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-parser > debug

  More info       https://nodesecurity.io/advisories/534


  low             Prototype Pollution

  Package         deep-extend

  Dependency of   karma [dev]

  Path            karma > chokidar > fsevents > node-pre-gyp > rc >
                  deep-extend

  More info       https://nodesecurity.io/advisories/612


  low             Prototype Pollution

  Package         lodash

  Dependency of   karma [dev]

  Path            karma > lodash

  More info       https://nodesecurity.io/advisories/577


  high            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > ws

  More info       https://nodesecurity.io/advisories/550


  high            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client > ws

  More info       https://nodesecurity.io/advisories/550



# Run `npm update ws --depth 4` to resolve 1 vulnerability

  high            Denial of Service

  Package         ws

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver > ws

  More info       https://nodesecurity.io/advisories/550





                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  high            Regular Expression Denial of Service

  Package         parsejson

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  parsejson

  More info       https://nodesecurity.io/advisories/528


[!] 14 vulnerabilities found - Packages audited: 21355 (21333 dev, 1438 optional)
    Severity: 10 low | 4 high

[Flexicon]

Can confirm the issue is a real thing. I believe it started after upgrading the cli to 6.0.1 Nevermind, has nothing to do with the update, it's just dependencies.

[efbsolis]

Yes, it has to do with dependencies.

I did it too, with the following specs:

• npm -v 6.0.1
• @angular/[email protected]

Post installation, I saw these messages:

22 vulnerabilities found [10227 packages audited]
Severity: 16 Low | 6 High

=== npm audit security report ===
Run npm install --dev [email protected] to resolve 12 vulerabilities
Run npm install --dev [email protected] to resolve 3 vulnerabilities

After following the prompt, the tally changed:

13 vulnerabilities found [10711 packages audited]
Severity: 8 Low | 5 Moderate

[P1xt]

This is a result of the new npm version including the audit command.

It isn't some new issue with the Angular CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability in Angular, it's just that now npm is now warning you about vulnerabilities that already existed:

https://blog.npmjs.org/

Most of the issues stem from Karma, so it'd need to be fixed there for the Angular team to pull in a new Karma version karma-runner/karma#2994

[yy7054wyq5]

+1

[msamprz]

If I understand this correctly, as these vulnerabilities are due to Karma (in my case all of them are from Karma, except for 1 which was from Protractor), that means the end-product Angular application prod or dev build wouldn't have any vulnerabilities as this is only for the testing kit, correct?

[clydin]

Closing as this is being tracked here: #10963

[hodo92]

That work for me :
npm set audit false

[PedroRuiz]

+1

[meanMonk]

I resolve this issue by updating the [email protected] and [email protected] using below cmd

npm i [email protected] --save
npm install --save-dev [email protected]

[jepaddock]

For those who came across this issue like I just did, @meanMonk is correct - updating Karma is a viable solution for this issue:

npm i karma --save (as of today, installs 4.0.1)

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}