There are some security warnings in package.json, please fix
Closed this issue · 2 comments
Jozdortraz commented
miniwangdali commented
High Arbitrary File Overwrite
Package fstream
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp >
fstream
More info https://nodesecurity.io/advisories/886
High Arbitrary File Overwrite
Package fstream
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar >
fstream
More info https://nodesecurity.io/advisories/886
# Run npm update tar --depth 4 to resolve 1 vulnerability
High Arbitrary File Overwrite
Package tar
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://nodesecurity.io/advisories/803
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package underscore.string
Patched in >=3.3.5
Dependency of remarkable
Path remarkable > argparse > underscore.string
More info https://nodesecurity.io/advisories/745
All above 4 vulnerabilities are not our direct dependencies.
Package Current Wanted Latest Location
@types/lodash 4.14.126 4.14.132 4.14.132 lacerta-blog
@types/node 8.9.5 8.9.5 12.0.2 lacerta-blog
core-js 2.6.5 2.6.8 3.1.2 lacerta-blog
rxjs 6.3.3 6.3.3 6.5.2 lacerta-blog
ts-node 7.0.1 7.0.1 8.2.0 lacerta-blog
tslint 5.11.0 5.11.0 5.16.0 lacerta-blog
typescript 3.2.4 3.2.4 3.4.5 lacerta-blog
zone.js 0.8.29 0.8.29 0.9.1 lacerta-blog
None of these package has an update to fix vulnerability issue yet. Update packages manually may break the dependencies. How would we solve it?
Jozdortraz commented
So just leave it and angular team may fix it later.