Angular-cli: Cross-Site Scripting dependency of serialize-javascript

Created on 10 Dec 2019  路  20Comments  路  Source: angular/angular-cli

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃

Hi all,

Looks like there's an npm audit issue dependant on serialize-javascript. Currently the dependency is set to v 1.9.1, seems to be resolved in >=2.1.1

Any eta on if we can update the dependency?

RE: https://npmjs.com/advisories/1426

Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > copy-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1426

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃

devkibuild-angular high security bufix
Source
picture nyc-cr2
👍12

Most helpful comment

one fix is that you add it to your resolutions in package.json 

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

picture Sneh1999 on 11 Dec 2019
👍3910 🎉6

All 20 comments

any update on this ?

Nikhilkapoor20 picture Nikhilkapoor20 on 11 Dec 2019

There is a PR to address this already https://github.com/angular/angular-cli/issues/16414

alan-agius4 picture alan-agius4 on 11 Dec 2019

This issue is blocking our development. Needs fix ASAP.

belyan picture belyan on 11 Dec 2019

Please also note that the security vulnerability specifically mentions that it does not affect Node.js applications.

clydin picture clydin on 11 Dec 2019
👍2

@alan-agius4 It looks like the actual PR that addresses this is #16404.

theodorejb picture theodorejb on 11 Dec 2019

one fix is that you add it to your resolutions in package.json 

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

Sneh1999 picture Sneh1999 on 11 Dec 2019
👍3910 🎉6

one fix is that you add it to your resolutions in package.json

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

Tested and working! Thank you

mariana-btg picture mariana-btg on 11 Dec 2019
👍3

one fix is that you add it to your resolutions in package.json

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

+1

jonathanengelbert picture jonathanengelbert on 12 Dec 2019
👍2

any update on this ? apart from mentioned patch

Nikhilkapoor20 picture Nikhilkapoor20 on 12 Dec 2019

Please be aware that the Angular CLI is a Node.js application and the vulnerability specifies that it does not affect Node.js applications.

See the full GitHub advisory here: https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx

However, a patch release for 8.3 is forthcoming which will resolve npm's warnings.

clydin picture clydin on 12 Dec 2019
👍4

one fix is that you add it to your resolutions in package.json

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

Thanks!

mjxsxp picture mjxsxp on 17 Dec 2019

Hi, I'm having the same issue. the trick "npx-force-resolutions" worked in local for me. But it's not working when building it on Git Lab for example.

Do you have more information please ?

marieAugade picture marieAugade on 18 Dec 2019

Adding resolutions doesn鈥檛 work for me either. Any other tricks or just wait until this issue is resolved?

leonlehmann picture leonlehmann on 19 Dec 2019

adding
"resolutions": {
"serialize-javascript": "^2.1.1"
}
fixed this problem locally. However, it fails in Gitlab pipeline where it introduces the same problem again.
Any other tricks on this one?

masseSnus picture masseSnus on 19 Dec 2019
👍1

@marieAugade, @leonlehmann and @masseSnus
The resolutions block is not picked up by npm natively, but is something that works in yarn only.
npm install --save npm-force-resolutions installs a package that will make npm work with the resolutions block.

executing npx npm-force-resolutions and npm install in your terminal will fix the package-lock.json to resolve to the correct package.
But you need to do that every time.
In order for your CI build to get fixed, also add npx npm-force-resolutions to the scripts block in the preinstall step.

"scripts": {
    "preinstall": "npx npm-force-resolutions"
}

npm will execute it every time you run npm install

Hope this helps

wburgers picture wburgers on 19 Dec 2019
4

@wburgers I'll try this, thank you very much

marieAugade picture marieAugade on 19 Dec 2019

@wburgers Thanks and it works for me.

Sampath-Lokuge picture Sampath-Lokuge on 19 Dec 2019

@angular-devkit/build-angular v8.3.21 has been released. npm audit fix now automatically fixes this vulnerability 馃帀

henrahmagix picture henrahmagix on 20 Dec 2019
👍4 🎉32

Version 8.3.21 will no longer show the npm warning. Please also note that the Angular CLI was not affected by this vulnerability.

clydin picture clydin on 20 Dec 2019

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_This action has been performed automatically by a bot._

angular-automatic-lock-bot[bot] picture angular-automatic-lock-bot[bot] on 20 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gotschmarcel picture gotschmarcel  路  3Comments
rwillmer picture rwillmer  路  3Comments
purushottamjha picture purushottamjha  路  3Comments
delasteve picture delasteve  路  3Comments
hartjo picture hartjo  路  3Comments