Reputation: 157
when Install the npm, found 12 high severity vulnerabilities
In angular 8, when I have install the npm then found 12 high severity vulnerabilities.
Version:-
Angular CLI: 8.0.3
Node: 10.16.0
OS: linux x64
Angular: 8.0.1
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, platform-server, router
Package Version
-----------------------------------------------------------
@angular-devkit/architect 0.800.3
@angular-devkit/build-angular 0.800.3
@angular-devkit/build-optimizer 0.800.3
@angular-devkit/build-webpack 0.800.3
@angular-devkit/core 8.0.3
@angular-devkit/schematics 8.0.3
@angular/cli 8.0.3
@angular/fire 5.2.1
@angular/flex-layout 8.0.0-beta.26
@angular/http 7.2.15
@ngtools/webpack 8.0.3
@schematics/angular 8.0.3
@schematics/update 0.800.3
rxjs 6.5.2
typescript 3.4.5
webpack 4.30.0
When I run the command npm audit then show
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
found 12 high severity vulnerabilities in 31845 scanned packages 12 vulnerabilities require manual review. See the full report for details.
I want to found 0 severity vulnerabilities.
Upvotes: 2
Views: 30095
Answers (2)
Reputation: 157
Open the package.json file and search the npm then remove npm version line (like "npm": "^6.9.0") from the package.json file.
Then Delete the node_modules folder and package-lock.json file from the project.
Then install the npm using command npm install.
Now you should see 0 vulnerabilities.
Upvotes: 2
Reputation: 6234
This is not an angular-related question. npm reports that some packages have known security issues.
You can try to run npm audit fix to let the dependency be upgraded to a known vulnerable one (if any), otherwise, you have to wait for the package maintainer to fix those issues.
Keep in mind that security vulnerabilities, although very important, are reported also for development packages, which, may not end up in your production system.
If upgrading the dependencies or (changing them) does not solve, you can't do anything on your own.
Upvotes: 3
Related Questions
- Found 4 vulnerabilities on npm install
- How to fix npm vulnerabilities manually?
- Fixing npm vulnerabilities
- Npm vulnerabilities can't be fixed
- I cannot fix node vulnerabilities even with npm audit fix --force
- npm showing severity vulnerabilities Laravel
- Vulnerabilities problem using "npm install"
- I installed npm and it had 7 vulnerabilities that had to be fixed manually
- found 40 vulnerabilities (7 low, 31 moderate, 1 high, 1 critical)
- NPM install error? Vulnerabilities found