Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@angular-eslint/builder references [email protected] which has CVE-2023-29827 #1776

Closed
phstkbs opened this issue Apr 18, 2024 · 2 comments
Closed

@angular-eslint/builder references [email protected] which has CVE-2023-29827 #1776

phstkbs opened this issue Apr 18, 2024 · 2 comments
Labels
package: builder Angular CLI builder which enables executing ESLint in Angular CLI workspaces triage This issue needs to be looked at and categorized by a maintainer

Comments

@phstkbs
Copy link

phstkbs commented Apr 18, 2024

Description and reproduction of the issue

@angular-eslint/builder references [email protected] which has CVE-2023-29827

Versions

package version
@angular-eslint/builder 17.3.0 
Node.js version v21.7.3 detected.
Odd numbered Node.js versions will not enter LTS status and should not be used for production. For more information, please see https://nodejs.org/en/about/previous-releases/.

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 17.3.4
Node: 21.7.3 (Unsupported)
Package Manager: npm 10.5.0
OS: darwin arm64

Angular: 17.3.4
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1703.5
@angular-devkit/build-angular   17.3.4
@angular-devkit/core            17.3.5
@angular-devkit/schematics      17.3.4
@schematics/angular             17.3.4
rxjs                            7.8.1
typescript                      5.2.2
zone.js                         0.14.0
    
Warning: The current version of Node (21.7.3) is not supported by Angular.
@phstkbs phstkbs added package: builder Angular CLI builder which enables executing ESLint in Angular CLI workspaces triage This issue needs to be looked at and categorized by a maintainer labels Apr 18, 2024
@json-derulo
Copy link
Contributor

[email protected] is not vulnerable, [email protected] is. @angular-eslint/builder v17.3.0 doesn't have a direct dependency to ejs, @nx/devkit has. However there the version range is defined as ^3.1.7, so npm update or npm audit fix should resolve the vulnerability.

@json-derulo json-derulo mentioned this issue May 4, 2024
Closed
@JamesHenry
Copy link
Member

I'm closing this one as it relates to an old version, the "vulnerable" version is no longer used. I put "vulnerable" in quotes because ejs is never executed outside of your machine by angular-eslint as it is a development only tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
package: builder Angular CLI builder which enables executing ESLint in Angular CLI workspaces triage This issue needs to be looked at and categorized by a maintainer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JamesHenry @json-derulo @phstkbs