-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM Audit Failure = @angular-devkit/build-angular #14138
Comments
Hi, thanks for reporting this, however this is caused by an upstream package and will be fixed when they release a new version nodejs/node-gyp#1714 |
I am having the same issue. |
v4.4.8 was just released. |
Looks like node-gyp already took care of it. |
Im guessing with it now being resolved we can expect this in the next release? |
Building a new app still generates the same error |
See: sass/node-sass#2625 |
This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me |
Do NOT manually edit the lock file. |
Wait till sass is updated and give the angular chaps time, it's friday (for us anyway) We aren't releasing this weekend. The Angular guys are extremely quick at resolving issues, patience is key. |
Manually removed vulnerability by upgrading 'tar' package from 2.2.1 to 4.4.8 (https://stackoverflow.com/questions/55635378/angular-devkit-build-angular-arbitrary-file-overwrite). angular-devkit and node-sass issues are still open. (angular/angular-cli#14138, sass/node-sass#2625). Will permanently be fixed once above 2 issues are addressed by Angular and node-sass teams.
+1 |
I am also having this issue, any news on an update? |
I also have this problem. We wait few days with merges. |
Any update on this? |
Hi all, node-sass have yet to fix the issue see: sass/node-sass#2625 |
Our CI pipe lines throwing this vulnerability, so what is ETA of this Issue? |
Check out nodejs/node-gyp#1718 for an ETA on the next node-gyp release containing a fix. At this stage, it looks like they're still debating what version number to give it. 😑 |
This is not the way to do it. Manually editing the package-lock.json file to fix the dependency version seems like a quick fix but it's not the right fix since the package-lock file will be overwritten when you run a |
any updates? |
any updates? |
any updates? cannot wait for the right solution. |
still waiting for an apropriate solution :( |
Any ETA on this as our CI builds complain about this vulnerability. |
* update frontend deps to deal with security alerts * 2 fixes are still outstanding: sass/node-sass#2625, angular/angular-cli#14138
@subhashkonda @art3miz18 @pl4yradam @isamrish @pablocid I think it's safe to say if you still see the blocked tag on this issue, they are unable to execute work to fix it. Keep an eye on the fixes this work is dependent on, it's all been documented above what is needed for the Angular team to do what they need to do. |
@macgyver214 im not sure why I have been tagged as I was providing a link to the issue? |
Hi! It's gonna be fix this issue soon? Thanks! |
For those wondering why fixing this issue takes so long, have a look at isaacs/node-tar#213 : they are facing a corner case where updating a library might cause more problems than leaving the security breach open. Let’s hope someone will find a way to solve this. :) |
New version of tar just has been released: Node-sass: |
Closing the issue as this seems to have been fixed upstream without the need to do any changes from our side. |
Confirmed. I have tried it this morning.
…On Thu, 16 May 2019, 08:54 Alan Agius, ***@***.***> wrote:
Closed #14138 <#14138>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#14138?email_source=notifications&email_token=AFL4VWS2655UUA5BLNANFI3PVUHLVA5CNFSM4HFG33BKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGORPHEIBY#event-2345550855>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFL4VWQBGI7PW573AOQHNUTPVUHLVANCNFSM4HFG33BA>
.
|
Yes! I just did: |
Npm audit fix fixed all issues in my local, but I still see in my CI build showing the tar 2.2.2 high vulnerability. Do you see the issue is still open or is this seems to be my CI Build specific. |
@subhashkonda i am also facing the same issue with github. Veulnerability fixed on my local but Github still shows it vulnerable. They might need some more time to update their audit list :). |
@alan-agius4 do you know when the dependency will be updated, and a new version of @angular-devkit/build-angular will be released on version 7 (stable)? |
@xaviergxf, I don't think they need a new release for this issue since it's been fixed upstream. |
Indeed no release is needed from our side. |
27 May 2019 - Still facing the same issue when creating new Angular project via CLI - 12 high vulnerabilities found. The following solved it for me: npm i -D node-sass node-pre-gyp node-gyp tar |
I still have this same issue in CI Builds but in local it is all fine npm audit gives 0 vulnerabilities, So what can be done here??? |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
🐞 Bug report
Command (mark with an
x
)The text was updated successfully, but these errors were encountered: