Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

angular-cli (v11.2.13) audit fails from dns-packet vulnerability #20947

Closed
dr-shakya opened this issue May 26, 2021 · 8 comments
Closed

angular-cli (v11.2.13) audit fails from dns-packet vulnerability #20947

dr-shakya opened this issue May 26, 2021 · 8 comments

Comments

@dr-shakya
Copy link

dr-shakya commented May 26, 2021
edited
Loading

Installing angular-cli version 11.2.13 and running an npm audit shows high security vulnerability from dns-packet. The package.json for my setup has devDependencies:
"@angular-devkit/build-angular": "~0.1102.13", "@angular/cli": "~11.2.13"

The npm-audit response is:

High            Memory Exposure                                               
                                                                                
Package         dns-packet                                                    
                                                                                
Patched in      >=5.2.2                                                       
                                                                                
Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
Path            @angular-devkit/build-angular > webpack-dev-server > bonjour  
                  > multicast-dns > dns-packet                                  
                                                                                
More info       https://npmjs.com/advisories/1745

The issue is also reported in #20795 but only for angular 12
@alan-agius4
Copy link
Collaborator

webpack-dev-server is using bonjour which is using an outdated version of multicast-dns, and therefore this is not actionable by the Angular CLI.

This vulnerability doesn't impact Angular CLI and Webpack Dev-Server as these tools are not meant to be used in production where this security vulnerability can be exploited.

Related upstream issues;
webpack/webpack-dev-server#3340
watson/bonjour#63

@andziaoo7
Copy link

I have the same issue. My package.json has:
"@angular-devkit/build-angular": "0.1102.11",
"@angular/cli": "11.2.11",

@zentoaku
Copy link

zentoaku commented May 26, 2021
edited
Loading

webpack-dev-server is using bonjour which is using an outdated version of multicast-dns, and therefore this is not actionable by the Angular CLI.

This vulnerability doesn't impact Angular CLI and Webpack Dev-Server as these tools are not meant to be used in production where this security vulnerability can be exploited.

Related upstream issues;
webpack/webpack-dev-server#3340
watson/bonjour#63

@alan-agius4
But it impacts security of the CI/CD. There's possibility to import dev packages in production code so npm audit should check all dependencies. Any project that cares heavily about security issues needs to block the whole deployment process if any issue is found.
This issue shouldn't be closed and Angular team should really focus on providing a solution, not shifting the responsibility as anyone using angular has to deal with dependencies it creates.

Also the issue exist in v9

@alan-agius4
Copy link
Collaborator

Hi @zentoaku,

  • In general the NPM audits should be taken with a pinch of salt , one of the problems with npm audit is that there is no way to control if the reported vulnerability is relevant.
  • Unless in CI/CD enviorment you are spawning the dev-server, it is running in an un-secure network and sometime within that network is crafting malicious domain queries this vulnerability cannot be exploited.
  • The NPM advisory is also outdated as this issue has been addressed in dns-packet version 1.3.4.

This issue shouldn't be closed and Angular team should really focus on providing a solution, not shifting the responsibility

Unfortunately this is caused by a transitive dependency of a transitive dependency, literally in this case there is nothing we can do but wait for an upstream fix.

@zentoaku
Copy link

@alan-agius4 I understand and agree that for know you can only wait. But in long term angular should track and care, and if needed replace problematic dependency.
As an example I can tell that in banking any kind of security issue is taken very seriously and therefore checked on the earliest stage possible. For js it will be npm audit unfortunately.

@ElinOlundForsling
Copy link

@alan-agius4 I just want to point out that Bonjour was last updated five years ago, it seems unlikely we'll get an upstream fix for this one.

@alan-agius4
Copy link
Collaborator

The NPM advisory is also outdated as this issue has been addressed directly in dns-packet version 1.3.4, therefore it doesn’t require any action from bonjour.

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jun 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zentoaku @andziaoo7 @alan-agius4 @ElinOlundForsling @dr-shakya