Recently Upgraded Angular version to 13 and found 5 critical vulnerabilities
loader-utils <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
No fix available
node_modules/@angular-builders/custom-webpack/node_modules/resolve-url-loader/node_modules/loader-utils
node_modules/loader-utils
@angular-devkit/build-optimizer 0.901.0-next.0 - 0.1200.0-rc.3
Depends on vulnerable versions of loader-utils
node_modules/@angular-devkit/build-optimizer
resolve-url-loader 0.0.1-experiment-postcss || 1.0.3 - 2.0.0 || 3.0.1 - 3.1.4 || 4.0.0-alpha.1 - 4.0.0-beta.2
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of postcss
node_modules/@angular-builders/custom-webpack/node_modules/resolve-url-loader
Here is my package.json
{
"name": "dashboard",
"version": "0.0.799",
"scripts": {
"ng": "ng",
"start": "ng serve --host=0.0.0.0 --port=4200 --proxy-config proxy.conf.json",
"build": "ng build --prod",
"buildDev": "ng build --prod --base-href /angular-cq/event-dashboard/ --deploy-url /angular-cq/event-dashboard/",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"postinstall": "node patch.js",
"start:local": "ng serve -c=local --port=4400",
"dev": "ng serve --port=4300",
"build-prod-patch": "npm version patch && node ./replace.build.js && ng build --prod && node ./versioning.build.js",
"build-prod-no-patch": "node ./replace.build.js && ng build --prod && node ./versioning.build.js"
},
"private": true,
"dependencies": {
"@amcharts/amcharts4": "^4.10.29",
"@angular-devkit/architect": "^0.1202.18",
"@angular-devkit/core": "^13.3.11",
"@angular/animations": "^13.3.12",
"@angular/cdk": "^13.3.9",
"@angular/common": "^13.3.12",
"@angular/compiler": "^13.3.12",
"@angular/core": "^13.3.12",
"@angular/flex-layout": "^13.0.0-beta.38",
"@angular/forms": "^13.3.12",
"@angular/localize": "^13.3.12",
"@angular/material": "^13.3.9",
"@angular/material-moment-adapter": "^13.3.9",
"@angular/platform-browser": "^13.3.12",
"@angular/platform-browser-dynamic": "^13.3.12",
"@angular/platform-server": "^13.3.12",
"@angular/router": "^13.3.12",
"@angular/service-worker": "^13.3.12",
"@ckeditor/ckeditor5-angular": "^1.2.3",
"@ckeditor/ckeditor5-build-classic": "^18.0.0",
"@fortawesome/angular-fontawesome": "^0.10.2",
"@fortawesome/fontawesome-svg-core": "^1.2.30",
"@fortawesome/free-solid-svg-icons": "^5.14.0",
"@henkkelder/ng2-signalr": "^12.0.2",
"@ng-bootstrap/ng-bootstrap": "^12.0.0",
"@popperjs/core": "^2.11.6",
"@syncfusion/ej2-angular-base": "^19.4.56",
"@syncfusion/ej2-angular-buttons": "^19.4.42",
"@syncfusion/ej2-angular-calendars": "^19.4.48",
"@syncfusion/ej2-angular-dropdowns": "^19.4.56",
"@syncfusion/ej2-angular-grids": "^19.4.56",
"@syncfusion/ej2-angular-inputs": "^19.4.47",
"@syncfusion/ej2-angular-navigations": "^19.4.47",
"@syncfusion/ej2-angular-notifications": "^19.4.52",
"@syncfusion/ej2-angular-popups": "^19.4.53",
"@syncfusion/ej2-angular-splitbuttons": "^19.4.52",
"@syncfusion/ej2-layouts": "^19.4.52",
"@types/file-saver": "^1.3.0",
"@types/highcharts": "^5.0.29",
"angular-bootstrap-md": "^13.0.0",
"angular-linky": "^1.2.2",
"angular2-highcharts": "^0.5.5",
"arcgis-js-api": "^4.26.5",
"bootstrap": "^4.5.2",
"chart.js": "^2.9.3",
"classlist.js": "^1.1.20150312",
"core-js": "^2.6.11",
"crypto-browserify": "^3.12.0",
"crypto-js": "^3.3.0",
"esri-loader": "^3.1.0",
"file-saver": "^1.3.8",
"font-awesome": "^4.7.0",
"google-libphonenumber": "^3.2.32",
"highcharts": "^6.1.3",
"immutable": "^4.0.0-rc.12",
"intl-tel-input": "^17.0.13",
"jquery": "^3.3.1",
"libphonenumber-js": "^1.9.23",
"moment": "^2.27.0",
"ng-mocks": "^13.5.1",
"ngx-autosize": "^1.8.0",
"ngx-bootstrap": "^6.0.0",
"ngx-clipboard": "^12.2.1",
"ngx-cookie-service": "^2.3.0",
"ngx-infinite-scroll": "^8.0.2",
"ngx-intl-tel-input": "^3.2.0",
"ngx-textarea-autosize": "^2.0.3",
"primeicons": "^5.0.0",
"primeng": "^13.2.1",
"replace-in-file": "^6.1.0",
"rxjs": "^6.6.3",
"sass": "~1.58.0",
"save": "^2.4.0",
"signalr": "^2.4.0",
"socket.io-client": "2.2.0",
"stream": "^0.0.2",
"subsink": "^1.0.1",
"three-dots": "^0.2.0",
"web-animations-js": "^2.3.2",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-builders/custom-webpack": "^10.0.1",
"@angular-devkit/build-angular": "^13.3.10",
"@angular/cli": "^13.3.11",
"@angular/compiler-cli": "^13.3.12",
"@angular/language-service": "^13.3.12",
"@types/faker": "^5.1.0",
"@types/jasmine": "~2.8.16",
"@types/jasminewd2": "^2.0.8",
"@types/jest": "^29.4.4",
"@types/node": "~8.9.4",
"codelyzer": "^6.0.0",
"faker": "^5.1.0",
"jasmine-core": "^3.8.0",
"jasmine-spec-reporter": "~5.0.0",
"karma": "^6.3.9",
"karma-chrome-launcher": "~3.1.0",
"karma-coverage-istanbul-reporter": "~3.0.2",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.6.0",
"protractor": "~7.0.0",
"ts-node": "~5.0.1",
"tslint": "~6.1.0",
"typescript": "^4.0.8"
}
}So the issue is because of the vulnerable version of loader-utils,found it in package-lock.json and the version is 2.0.1 or 1.4.0 for some transitive dependencies.
I found that loader-utils version 2.0.4 and 3.2.1 has been fixed for this vulnerability hence I did a manual upgrade in package-lock.json to the above version, but that's giving some compilation issues hence removed that now. Kindly let me know what can be done to fix this issue
Edit:Adding npm ls utils-loader
+-- @angular-builders/custom-webpack@10.0.1
| `-- @angular-devkit/build-angular@0.1002.1
| +-- @angular-devkit/build-optimizer@0.1002.1
| | `-- loader-utils@2.0.0 deduped
| +-- @jsdevtools/coverage-istanbul-loader@3.0.5
| | `-- loader-utils@2.0.0 deduped
| +-- babel-loader@8.1.0
| | `-- loader-utils@1.4.2
| +-- copy-webpack-plugin@6.0.3
| | `-- loader-utils@2.0.0 deduped
| +-- css-loader@4.2.2
| | `-- loader-utils@2.0.0 deduped
| +-- file-loader@6.0.0
| | `-- loader-utils@2.0.0 deduped
| +-- less-loader@6.2.0
| | `-- loader-utils@2.0.0 deduped
| +-- loader-utils@2.0.0
| +-- mini-css-extract-plugin@0.10.0
| | `-- loader-utils@1.4.2
| +-- postcss-loader@3.0.0
| | `-- loader-utils@1.4.2
| +-- raw-loader@4.0.1
| | `-- loader-utils@2.0.0 deduped
| +-- resolve-url-loader@3.1.2
| | +-- adjust-sourcemap-loader@3.0.0
| | | `-- loader-utils@2.0.0 deduped
| | `-- loader-utils@1.2.3
| +-- sass-loader@10.0.1
| | `-- loader-utils@2.0.0 deduped
| +-- source-map-loader@1.0.2
| | `-- loader-utils@2.0.0 deduped
| +-- style-loader@1.2.1
| | `-- loader-utils@2.0.0 deduped
| +-- stylus-loader@3.0.2
| | `-- loader-utils@1.4.2
| +-- webpack@4.44.1
| | `-- loader-utils@1.4.2
| `-- worker-plugin@5.0.0
| `-- loader-utils@1.4.2
`-- @angular-devkit/build-angular@13.3.11
+-- babel-loader@8.2.5
| `-- loader-utils@2.0.0 deduped
+-- loader-utils@3.2.1
`-- resolve-url-loader@5.0.0
+-- adjust-sourcemap-loader@4.0.0
| `-- loader-utils@2.0.0 deduped
`-- loader-utils@2.0.0 dedupedUpdating to angular-builders/custom-webpack v13 will update loader-utils for you.