Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Veracode flags the request transitive dependency of the dev dependency pacote #21240

Closed
LanceEa opened this issue Jun 29, 2021 · 3 comments
Closed

Veracode flags the request transitive dependency of the dev dependency pacote #21240

LanceEa opened this issue Jun 29, 2021 · 3 comments

Comments

@LanceEa
Copy link

LanceEa commented Jun 29, 2021

We have two vulnerabilities being flagged in veracode due to the deprecated request library being used by pacote.

https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-21913/summary
https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3911/summary

Dependency Tree:

Screen Shot 2021-06-29 at 8 30 33 AM

It appears that this is removed in node-gyp@8 but due to @npmcli/run-script support of node 10 it is unable to update.

https://github.com/nodejs/node-gyp/blob/master/package.json
npm/run-script#25

Angular Cli Versions

Screen Shot 2021-06-29 at 8 32 27 AM

I wasn't able to find anything in pacote on addressing this so not sure if we can just force the yarn resolve of node-gyp or if pacote itself needs to be updated.
@alan-agius4
Copy link
Collaborator

Unfortunately this is not something that we can action as this has to be addressed upstream by @npmcli/run-scripts.

That being said, we don’t expect that the Angular CLI runs in production environments were this vulnerability can be exploited.

@LanceEa
Copy link
Author

LanceEa commented Jun 29, 2021

@alan-agius4 - thanks for the quick response on that one.

That is is what I was thinking but wanted to flag it here so others coming across it could see.

That being said, we don’t expect that the Angular CLI runs in production environments were this vulnerability can be exploited.

I have seen that mentioned on a few of the other issues as well and I just want to make sure I'm clear in my understanding so I can articulate it back to my team. This comment is referring to the fact that it is not expected for the cli to be deployed to the production web server (container) and/or used as the production web server, correct?

However, it is used in many peoples CI process which although not production, the vulnerability could be used by another dependency in the project or not? Or, alternatively the assumption is the CI is sandboxed thus a Denial-Of-Service should only effect that single build and any remote code execution should be blocked by network policies?

Thanks for any insight on this topic.

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jul 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LanceEa @alan-agius4