Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proget reports no issues but npm audit sees high severity vulnerability
-
Hi,
In one of our older products we use angular 1.8.3.
Proget reports
This package has no known security vulnerabilities.but npm audit reports
angular * Severity: high angular vulnerable to regular expression denial of service (ReDoS) - https://github.com/advisories/GHSA-m2h2-264f-f486 Angular (deprecated package) Cross-site Scripting - https://github.com/advisories/GHSA-prc3-vjfx-vhm9 angular vulnerable to regular expression denial of service via the angular.copy() utility - https://github.com/advisories/GHSA-2vrf-hf26-jrp5 angular vulnerable to regular expression denial of service via the $resource service - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx angular vulnerable to regular expression denial of service via the <input type="url"> element - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr angular vulnerable to super-linear runtime due to backtracking - https://github.com/advisories/GHSA-4w4v-5hc9-xrr2 fix available via `npm audit fix --force` Will install angular@1.6.10, which is a breaking change node_modules/angular 1 high severity vulnerability
-
Hi @v-makkenze_6348,
Thanks for bringing this to our attention. I need to dig a bit deeper into this, I should have an update for you by tomorrow.
Thanks,
Rich
-
Hi @v-makkenze_6348,
I was able to identify the issue, PG-2778, and will have this fixed in the next maintenance release of ProGet.
Thanks,
Rich
