angularnpmnpm-auditangular-devkit

NPM-AUDIT find to high vulnerabilities. What am I supposed to do?


npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

More info https://npmjs.com/advisories/1432

High Command Injection

Package tree-kill

Patched in >=1.2.2

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > tree-kill

More info https://npmjs.com/advisories/1432

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?


Solution

  • You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

    Just do the following steps:

    1. Update your package.json file by adding resolutions section with proper version of package tree-kill:
    "resolutions": {
      "tree-kill": "1.2.2"
    }
    
    1. Update your package-lock.json by running command:
    npx npm-force-resolutions
    
    1. Reinstall NPM packages in your project:
    rm -r node_modules
    npm install
    

    Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

    More information about NPM Force Resolutions.