Solvedangular cli Cross-Site Scripting dependency of serialize-javascript

πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘

Hi all,

Looks like there's an npm audit issue dependant on serialize-javascript. Currently the dependency is set to v 1.9.1, seems to be resolved in >=2.1.1

Any eta on if we can update the dependency?

RE: https://npmjs.com/advisories/1426

Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > copy-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1426

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘

21 Answers

βœ”οΈAccepted Answer

one fix is that you add it to your resolutions in package.json

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

Other Answers:

@angular-devkit/build-angular v8.3.21 has been released. npm audit fix now automatically fixes this vulnerability πŸŽ‰

Please be aware that the Angular CLI is a Node.js application and the vulnerability specifies that it does not affect Node.js applications.

See the full GitHub advisory here: GHSA-h9rv-jmmf-4pgx

However, a patch release for 8.3 is forthcoming which will resolve npm's warnings.

@marieAugade, @leonlehmann and @masseSnus
The resolutions block is not picked up by npm natively, but is something that works in yarn only.
npm install --save npm-force-resolutions installs a package that will make npm work with the resolutions block.

executing npx npm-force-resolutions and npm install in your terminal will fix the package-lock.json to resolve to the correct package.
But you need to do that every time.
In order for your CI build to get fixed, also add npx npm-force-resolutions to the scripts block in the preinstall step.

"scripts": {
    "preinstall": "npx npm-force-resolutions"
}

npm will execute it every time you run npm install

Hope this helps

one fix is that you add it to your resolutions in package.json

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

and then possibly:

rm -r node_modules
npx npm-force-resolutions
npm install

worked for me

Tested and working! Thank you

More Issues: