Update @angular-devkit/schematics because of vulnerability in ajv@6.9.1

Question

Update @angular-devkit/schematics because of vulnerability in ajv@6.9.1

konradpociask opened this issue 4 years ago · 1 comments

Feature request

Package versions you currently use:

devexteme version: 19.2.7
devextreme-angular version: 19.2.7

Description:
devextreme-angular in version 19.2.7 but also the latest 20.1.6 has @angular-devkit/schematics as a dependency in version 7.3.10. Going two more levels deep in dependency tree you will find ajv@6.9.1 which is vulnerable to Prototype Pollution.

More details about vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2020-15366

All other devextreme-angular production dependencies were already updated to use the latest ajv.

+-- devextreme@19.2.9
| `-- turndown@6.0.0
|   `-- jsdom@16.4.0
|     `-- request@2.88.2
|       `-- har-validator@5.1.5
|         `-- ajv@6.12.3  deduped
`-- devextreme-angular@19.2.7
  +-- @angular-devkit/schematics@7.3.10
  | `-- @angular-devkit/core@7.3.10
  |   `**-- ajv@6.9.1** 
  `-- devextreme-schematics@1.2.2
    +-- @angular-devkit/core@8.3.29
    | `-- ajv@6.12.3 
    `-- @schematics/angular@8.3.29
      `-- @angular-devkit/core@8.3.29
        `-- ajv@6.12.3  deduped

(A command that was run to get above dependencies tree is 'npm ls ajv --production' )

Preferred Solution:
Update @angular-devkit/schematics dependency to newer version which has ajv in version 6.12.3 as a dependency.

Answer 1 · 2021-01-15T09:57:14.000Z

We fixed this issue in v20.1.10 and v.20.2.5.