Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Proget reports no issues but npm audit sees high severity vulnerability



  • Hi,

    In one of our older products we use angular 1.8.3.

    Proget reports

    This package has no known security vulnerabilities.
    

    but npm audit reports

    angular  *
    Severity: high
    angular vulnerable to regular expression denial of service (ReDoS) - https://github.com/advisories/GHSA-m2h2-264f-f486
    Angular (deprecated package) Cross-site Scripting - https://github.com/advisories/GHSA-prc3-vjfx-vhm9
    angular vulnerable to regular expression denial of service via the angular.copy() utility - https://github.com/advisories/GHSA-2vrf-hf26-jrp5
    angular vulnerable to regular expression denial of service via the $resource service - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx
    angular vulnerable to regular expression denial of service via the <input type="url"> element - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr
    angular vulnerable to super-linear runtime due to backtracking - https://github.com/advisories/GHSA-4w4v-5hc9-xrr2
    fix available via `npm audit fix --force`
    Will install angular@1.6.10, which is a breaking change
    node_modules/angular
    
    1 high severity vulnerability
    

  • inedo-engineer

    Hi @v-makkenze_6348,

    Thanks for bringing this to our attention. I need to dig a bit deeper into this, I should have an update for you by tomorrow.

    Thanks,
    Rich


  • inedo-engineer

    Hi @v-makkenze_6348,

    I was able to identify the issue, PG-2778, and will have this fixed in the next maintenance release of ProGet.

    Thanks,
    Rich


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation