Angular-cli: NPM Audit Failure = @angular-devkit/build-angular
π Bug report
Command (mark with an x)
- [ X ] new
- [ ] build
- [ ] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [ ] add
- [ ] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc
```
Is this a regression?
no
Description
Up to date NG CLI, creating a new project, npm audit strikes
π¬ Minimal Reproduction
Up to date NG CLI, creating a new project, npm audit strikes
π₯ Exception or Error
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Arbitrary File Overwrite β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=4.4.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @angular-devkit/build-angular [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @angular-devkit/build-angular > node-sass > node-gyp > tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/803 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Your Environment
Angular CLI: 7.3.8
Node: 10.15.0
OS: darwin x64
Angular:
...
Package Version
------------------------------------------------------
@angular-devkit/architect 0.13.8
@angular-devkit/core 7.3.8
@angular-devkit/schematics 7.3.8
@schematics/angular 7.3.8
@schematics/update 0.13.8
rxjs 6.3.3
typescript 3.2.4
Anything else relevant?
Nothing further
Adam-Kernig
All 47 comments
Hi, thanks for reporting this, however this is caused by an upstream package and will be fixed when they release a new version https://github.com/nodejs/node-gyp/issues/1714
alan-agius4
on 11 Apr 2019
I am having the same issue.
spp125
on 11 Apr 2019
v4.4.8 was just released.
cap-akimrey
on 11 Apr 2019
Looks like node-gyp already took care of it.
https://github.com/nodejs/node-gyp/pull/1713
chet-manley
on 11 Apr 2019
Im guessing with it now being resolved we can expect this in the next release?
Adam-Kernig
on 12 Apr 2019
Building a new app still generates the same error
HansITChange
on 12 Apr 2019
node-sass are using an older version of node-gyp. hence we are still blocked on this.
alan-agius4
on 12 Apr 2019
This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me
ignaciorecuerda
on 12 Apr 2019
This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me
Do NOT manually edit the lock file.
Adam-Kernig
on 12 Apr 2019
This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me
Do NOT manually edit the lock file.
Then how should it be done?
Wait till sass is updated and give the angular chaps time, it's friday (for us anyway) We aren't releasing this weekend.
The Angular guys are extremely quick at resolving issues, patience is key.
Adam-Kernig
on 12 Apr 2019
+1
lenichols
on 15 Apr 2019
I am also having this issue, any news on an update?
cbutton01
on 17 Apr 2019
I also have this problem. We wait few days with merges.
michalmotorola
on 18 Apr 2019
Any update on this?
Hallight
on 19 Apr 2019
Hi all, node-sass have yet to fix the issue see: https://github.com/sass/node-sass/issues/2625
At this point we are blocked until they do the fix and cut a release.
alan-agius4
on 22 Apr 2019
Our CI pipe lines throwing this vulnerability, so what is ETA of this Issue?
subhashkonda
on 22 Apr 2019
Check out nodejs/node-gyp#1718 for an ETA on the next node-gyp release containing a fix. At this stage, it looks like they're still debating what version number to give it. :expressionless:
grace-grimwood
on 22 Apr 2019
https://github.com/sass/node-sass/pull/2639
node-gyp has been fixed
node-sass is bing updated:
Once that PR is merged we can bump the node-sass version here
Toxicable
on 24 Apr 2019
Is it safe to use the CLI to build for production apps while we're waiting on a fix?
jordancue
on 30 Apr 2019
Any update on this, there has been a cli update but the error is still persisting?
pl4yradam
on 2 May 2019
@pl4yradam, sass/node-sass#2639 still needs to be merged. See https://github.com/angular/angular-cli/issues/14138#issuecomment-486388458.
MatthiasKunnen
on 2 May 2019
@MatthiasKunnen thanks for the ref mate, I'll keep an eye out over there
pl4yradam
on 2 May 2019
any update?
nicobytes
on 4 May 2019
The solution of this question solved my problem too, but don't know how safe/recommended is it?
https://stackoverflow.com/questions/55635378/npm-audit-arbitrary-file-overwrite/55649551#55649551
bestazad
on 5 May 2019
The solution of this question solved my problem too, but don't know how safe/recommended is it?
https://stackoverflow.com/questions/55635378/npm-audit-arbitrary-file-overwrite/55649551#55649551
This is not the way to do it. Manually editing the package-lock.json file to fix the dependency version seems like a quick fix but it's not the right fix since the package-lock file will be overwritten when you run a npm install again. Guess we should wait on the devs to bump up the dependency version of node-sass and then update this package.
STheFox
on 7 May 2019
any updates?
pablocid
on 10 May 2019
any updates?
pablocid
on 10 May 2019
any updates? cannot wait for the right solution.
IsAmrish
on 13 May 2019
pl4yradam
on 13 May 2019
still waiting for an apropriate solution :(
art3miz18
on 13 May 2019
Any ETA on this as our CI builds complain about this vulnerability.
subhashkonda
on 13 May 2019
@subhashkonda @art3miz18 @pl4yradam @IsAmrish @pablocid I think it's safe to say if you still see the blocked tag on this issue, they are unable to execute work to fix it. Keep an eye on the fixes this work is dependent on, it's all been documented above what is needed for the Angular team to do what they need to do.
MacGyver214-zz
on 14 May 2019
@MacGyver214 im not sure why I have been tagged as I was providing a link to the issue?
pl4yradam
on 14 May 2019
Hi! It's gonna be fix this issue soon? Thanks!
Angular-cli messages code errors not showing becouse this issue.
franciscojsr
on 14 May 2019
For those wondering why fixing this issue takes so long, have a look at https://github.com/npm/node-tar/pull/213 : they are facing a corner case where updating a library might cause more problems than leaving the security breach open.
Letβs hope someone will find a way to solve this. :)
AlanCrevon
on 14 May 2019
New version of tar just has been released:
https://github.com/npm/node-tar/issues/212#issuecomment-492463507
Node-sass:
https://github.com/sass/node-sass/issues/2625#issuecomment-492464554
michel-jump
on 15 May 2019
Closing the issue as this seems to have been fixed upstream without the need to do any changes from our side.
alan-agius4
on 16 May 2019
Confirmed. I have tried it this morning.
On Thu, 16 May 2019, 08:54 Alan Agius, notifications@github.com wrote:
Closed #14138 https://github.com/angular/angular-cli/issues/14138.
β
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/angular/angular-cli/issues/14138?email_source=notifications&email_token=AFL4VWS2655UUA5BLNANFI3PVUHLVA5CNFSM4HFG33BKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGORPHEIBY#event-2345550855,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFL4VWQBGI7PW573AOQHNUTPVUHLVANCNFSM4HFG33BA
.
pl4yradam
on 16 May 2019
Yes! I just did: npm audit fix and solved!
franciscojsr
on 16 May 2019
Npm audit fix fixed all issues in my local, but I still see in my CI build showing the tar 2.2.2 high vulnerability. Do you see the issue is still open or is this seems to be my CI Build specific.
Does anyone facing the same ?
subhashkonda
on 16 May 2019
@subhashkonda i am also facing the same issue with github. Veulnerability fixed on my local but Github still shows it vulnerable. They might need some more time to update their audit list :).
ShahanaFarooqui
on 17 May 2019
@alan-agius4 do you know when the dependency will be updated, and a new version of @angular-devkit/build-angular will be released on version 7 (stable)?
xaviergxf
on 17 May 2019
@xaviergxf, I don't think they need a new release for this issue since it's been fixed upstream.
salah3x
on 17 May 2019
Indeed no release is needed from our side.
alan-agius4
on 18 May 2019
27 May 2019 - Still facing the same issue when creating new Angular project via CLI - ___12___ high vulnerabilities found.
The following solved it for me:
npm i -D node-sass node-pre-gyp node-gyp tar
weidenhaus
on 27 May 2019
I still have this same issue in CI Builds but in local it is all fine npm audit gives 0 vulnerabilities, So what can be done here???
subhashkonda
on 6 Jun 2019
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
_This action has been performed automatically by a bot._
![angular-automatic-lock-bot[bot] picture](https://avatars0.githubusercontent.com/in/40213?v=4&s=40)
angular-automatic-lock-bot[bot]
on 9 Sep 2019
Related issues
gotschmarcel
Β·
3Comments
IngvarKofoed
Β·
3Comments
jmurphzyo
Β·
3Comments
hartjo
Β·
3Comments
rajjejosefsson
Β·
3Comments
Most helpful comment
Do NOT manually edit the lock file.