π Bug report
Command (mark with an x)
### Is this a regression?
no
### Description
Up to date NG CLI, creating a new project, npm audit strikes
## π¬ Minimal Reproduction
Up to date NG CLI, creating a new project, npm audit strikes
## π₯ Exception or Error
<pre><code>
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Arbitrary File Overwrite β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=4.4.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @angular-devkit/build-angular [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @angular-devkit/build-angular > node-sass > node-gyp > tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/803 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
</code></pre>
## π Your Environment
<pre><code>
Angular CLI: 7.3.8
Node: 10.15.0
OS: darwin x64
Angular:
...
Package Version
------------------------------------------------------
@angular-devkit/architect 0.13.8
@angular-devkit/core 7.3.8
@angular-devkit/schematics 7.3.8
@schematics/angular 7.3.8
@schematics/update 0.13.8
rxjs 6.3.3
typescript 3.2.4
</code></pre>
**Anything else relevant?**
Nothing further
Do NOT manually edit the lock file.
https://github.com/sass/node-sass/pull/2639 node-gyp has been fixed node-sass is bing updated: Once that PR is merged we can bump the node-sass version here
+1
Any update on this, there has been a cli update but the error is still persisting?
Wait till sass is updated and give the angular chaps time, itβs friday (for us anyway) We arenβt releasing this weekend.
The Angular guys are extremely quick at resolving issues, patience is key.
This question has already been answered. Can you try this solution https://stackoverflow.com/a/55649551/10961281, it has worked for me
any update?
Check out nodejs/node-gyp#1718 for an ETA on the next node-gyp release containing a fix. At this stage, it looks like theyβre still debating what version number to give it. π
This is not the way to do it. Manually editing the package-lock.json file to fix the dependency version seems like a quick fix but itβs not the right fix since the package-lock file will be overwritten when you run a
npm installagain. Guess we should wait on the devs to bump up the dependency version of node-sass and then update this package.Is it safe to use the CLI to build for production apps while weβre waiting on a fix?
The solution of this question solved my problem too, but donβt know how safe/recommended is it? https://stackoverflow.com/questions/55635378/npm-audit-arbitrary-file-overwrite/55649551#55649551
any updates?
New version of tar just has been released: https://github.com/npm/node-tar/issues/212#issuecomment-492463507
Node-sass: https://github.com/sass/node-sass/issues/2625#issuecomment-492464554
any updates?
node-sassare using an older version ofnode-gyp. hence we are still blocked on this.See: https://github.com/sass/node-sass/issues/2625
any updates? cannot wait for the right solution.
Hi all, node-sass have yet to fix the issue see: https://github.com/sass/node-sass/issues/2625 At this point we are blocked until they do the fix and cut a release.
@subhashkonda i am also facing the same issue with github. Veulnerability fixed on my local but Github still shows it vulnerable. They might need some more time to update their audit list π.
Closing the issue as this seems to have been fixed upstream without the need to do any changes from our side.
@subhashkonda @art3miz18 @pl4yradam @IsAmrish @pablocid I think itβs safe to say if you still see the blocked tag on this issue, they are unable to execute work to fix it. Keep an eye on the fixes this work is dependent on, itβs all been documented above what is needed for the Angular team to do what they need to do.
still waiting for an apropriate solution π¦
I still have this same issue in CI Builds but in local it is all fine npm audit gives 0 vulnerabilities, So what can be done here???
27 May 2019 - Still facing the same issue when creating new Angular project via CLI - 12 high vulnerabilities found.
The following solved it for me:
Confirmed. I have tried it this morning.
On Thu, 16 May 2019, 08:54 Alan Agius, notifications@github.com wrote:
Hi! Itβs gonna be fix this issue soon? Thanks! Angular-cli messages code errors not showing becouse this issue.
v4.4.8 was just released.
@xaviergxf, I donβt think they need a new release for this issue since itβs been fixed upstream.
For those wondering why fixing this issue takes so long, have a look at https://github.com/npm/node-tar/pull/213 : they are facing a corner case where updating a library might cause more problems than leaving the security breach open.
Letβs hope someone will find a way to solve this. π
Any ETA on this as our CI builds complain about this vulnerability.