Ionic-cli: Vulnerability of tree-kill to Command Injection a simple update to version 1.2.2 to fix it.
Description:
The warning starts to appear for the project when you do a fresh npm install, the npm reports found 4 high severity vulnerabilities, when you run command npm audit you can see there are 2 main sources for the issue, one from angular, and one from ionic cli.
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of @ionic/lab [dev]
Path @ionic/lab > @ionic/cli-framework > @ionic/utils-process >
tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of @ionic/lab [dev]
Path @ionic/lab > @ionic/cli-framework > @ionic/utils-subprocess
> @ionic/utils-process > tree-kill
More info https://npmjs.com/advisories/1432
found 4 high severity vulnerabilities in 17819 scanned packages
4 vulnerabilities require manual review. See the full report for details.
After I ran npm list tree-kill:
+-- @angular-devkit/[email protected]
| +-- @ngtools/[email protected]
| | `-- [email protected] deduped
| `-- [email protected]
`-- @ionic/[email protected]
`-- @ionic/[email protected]
`-- @ionic/[email protected]
`-- [email protected] deduped
My ionic info:
Ionic:
Ionic CLI : 5.4.13 (C:\Users\Al-MothafarAl-Hasan\AppData\Roaming\npm\node_modules\ionic)
Ionic Framework : @ionic/angular 4.11.7
@angular-devkit/build-angular : 0.803.22
@angular-devkit/schematics : 8.3.22
@angular/cli : 8.3.22
@ionic/angular-toolkit : 2.1.1
Capacitor:
Capacitor CLI : not installed
@capacitor/core : not installed
Cordova:
Cordova CLI : not installed
Cordova Platforms : not available
Cordova Plugins : not available
Utility:
cordova-res : not installed
native-run : not installed
System:
NodeJS : v13.5.0 (C:\Program Files\nodejs\node.exe)
npm : 6.13.4
OS : Windows 10
Other info
The line to change is: https://github.com/ionic-team/ionic-cli/blob/develop/packages/%40ionic/utils-process/package.json#L35
kill-tree vulnerability : https://npmjs.com/advisories/1432
almothafar
All 20 comments
i've got the same issue today
momo5ms1
on 13 Jan 2020
Here the same
koyadovic
on 13 Jan 2020
Why has this been closed?
hbendix
on 13 Jan 2020
@hbendix it is merged here #4247
almothafar
on 13 Jan 2020
Ionic CLI 5.4.14 is out with this fix. Thanks for the report!! 馃榿
imhoffd
on 13 Jan 2020
I got Ionic CLI 5.4.14 and issue persists. How can I fix it?
gigocabrera
on 14 Jan 2020
@gigocabrera did you try to remove node_modules and package-lock and run npm install again?
almothafar
on 14 Jan 2020
@almothafar I did twice and package-lock comes back with tree-kill 1.2.1 (not 1.2.2)
gigocabrera
on 14 Jan 2020
@gigocabrera it is maybe angular fault, for me, the latest version is working fine:
+-- @angular-devkit/[email protected]
| +-- @ngtools/[email protected]
| | `-- [email protected] deduped
| `-- [email protected]
`-- @ionic/[email protected]
`-- @ionic/[email protected]
`-- @ionic/[email protected]
`-- [email protected]
Run npm list tree-kill and look who is using that version.
almothafar
on 14 Jan 2020
`-- @angular-devkit/[email protected]
+-- @ngtools/[email protected]
| `-- [email protected] deduped
`-- [email protected]
I think because ionic using ^ for the version, npm thinks you don't mind to use a little minor version behind, so it is the fault of build-angular not ionic-cli, they fixed that from their side, but the new version is not published yet https://github.com/angular/angular-cli/issues/16629.
almothafar
on 14 Jan 2020
ahhh ok, let me try that and see if that works
gigocabrera
on 14 Jan 2020
@viradia2 Did you check who uses it? run command npm list tree-kill
almothafar
on 14 Jan 2020
@almothafar here I found this
+-- @angular-devkit/[email protected]
| +-- @ngtools/[email protected]
| | -- [email protected]
|-- [email protected]
viradia2
on 15 Jan 2020
@viradia2 what Ionic has to do with this? 馃檭 you can clearly see it is Angular build tool issue!
almothafar
on 15 Jan 2020
@almothafar Could you please explain what do you mean by it's Angular build tool issue?
viradia2
on 15 Jan 2020
@viradia2 @angular-devkit/[email protected] using @ngtools/[email protected] which is using [email protected], they fixed that already you just need to wait for next version, then you need to update @angular-devkit/build-angular, check my previous comments regarding this.
almothafar
on 15 Jan 2020
Thank you @almothafar
viradia2
on 15 Jan 2020
thanks @almothafar
Is there a possibility of manually updating tree-kill dependency to 1.2.2 or would we have to wait on the next version? I've tried manually changing the package json to 1.2.2 everywhere I could find but that wasn't enough.
TheModestMonk
on 15 Jan 2020
@TheModestMonk you can use yarn or npm-force-resolutions, but I don't think you need to get panic because of this issue right now, I don't see it is worth the efforts.
But look at these:
https://github.com/rogeriochaves/npm-force-resolutions
https://yarnpkg.com/lang/en/docs/selective-version-resolutions/
Personally, I never did that, just because there is no really serious situation, as for example, this tree-kill effects dev, not a production distributed file.
almothafar
on 15 Jan 2020
Related issues
chsakell
路
3Comments
jsayol
路
3Comments
jgw96
路
3Comments
richardshergold
路
3Comments
zoinkydoink
路
3Comments