-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Veracode flags the request
transitive dependency of the dev dependency pacote
#21240
Comments
Unfortunately this is not something that we can action as this has to be addressed upstream by That being said, we don’t expect that the Angular CLI runs in production environments were this vulnerability can be exploited. |
@alan-agius4 - thanks for the quick response on that one. That is is what I was thinking but wanted to flag it here so others coming across it could see.
I have seen that mentioned on a few of the other issues as well and I just want to make sure I'm clear in my understanding so I can articulate it back to my team. This comment is referring to the fact that it is not expected for the cli to be deployed to the production web server (container) and/or used as the production web server, correct? However, it is used in many peoples CI process which although not production, the vulnerability could be used by another dependency in the project or not? Or, alternatively the assumption is the CI is sandboxed thus a Denial-Of-Service should only effect that single build and any remote code execution should be blocked by network policies? Thanks for any insight on this topic. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
We have two vulnerabilities being flagged in veracode due to the deprecated
request
library being used bypacote
.https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-21913/summary
https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3911/summary
Dependency Tree:
It appears that this is removed in
node-gyp@8
but due to@npmcli/run-script
support of node 10 it is unable to update.https://github.com/nodejs/node-gyp/blob/master/package.json
npm/run-script#25
Angular Cli Versions
I wasn't able to find anything in pacote on addressing this so not sure if we can just force the yarn resolve of node-gyp or if pacote itself needs to be updated.
The text was updated successfully, but these errors were encountered: