Angular-cli: Dependency Tree-kill 1.2.1 Vulnerability

This affects angular 9 rc-8 too

A temporary workaround (that also works in situations where package maintainer has yet to release dependencies but y'know, security.)

First, run npm audit to determine which version needs to be fixed.

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tree-kill                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > tree-kill                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1432 (hi medium/hackernoon)     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Ok, we need [email protected].

Go to https://registry.npmjs.org/${PACKAGE}, in this case https://registry.npmjs.org/tree-kill and copy versions.${VERSION}.dist.integrity.

For [email protected], it's sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==.

Finally, open package-lock.json and change the require version of @angular-devkit/build-angular and the version/integirty for tree-kill.

{
    ...
    "dependencies": {
        "@angular-devkit/build-angular": {
            ...
            "requires": {
                ...
                "tree-kill": "1.2.2"
                ...
            }
            ...
        },
        ...
        "tree-kill": {
            "version": "1.2.2",
            "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
            "integrity": "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==",
            "dev": true
        },
        ...
    }
    ...
}

Running npm audit shouldn't find any vulnerabilities if this was the only issue.

                       === npm audit security report ===                        

found 0 vulnerabilities

Some caveats - when the package maintainer updates their package but doesn't update the affected required package, you'll need to do this again. However, if they do update the affected package, you won't need to do any extra work.

Fixed via https://github.com/angular/angular-cli/pull/16634

Is there a plan to issue a security patch that resolves this for 7.x?

@alechemy it looks like you would need to create a new branch from 7.3.x, then make the same change as shown in this commit.

If I have time I'll do it this weekend, it's worth the effort.

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{_This action has been performed automatically by a bot._}