Vulnerability Warning Tracking Issue

[clydin]

Two project-level development only packages currently produce vulnerability warnings upon package install of a new project.

• Protractor (1 warning) -- dependency webdriver-js-extender uses an outdated version of selenium-webdriver (UPDATE: Protractor 4.5.0 has been released with a fix)

• Karma (2.0: 6 warnings) -- dependency log4js uses an outdated version of loggly. Note also that log4js (and as a result karma) produce the following deprecated package warnings upon install:

  npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See   https://nodemailer.com/status/
  npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
  npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
  npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
  npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
  npm WARN deprecated buildmail@4.0.1: This project is unmaintained
  npm WARN deprecated uws@9.14.0: stop using this version
  

[devoto13]

As for Protractor there was a discussion about updating/removing webdriver-js-extender dependency, but it is silent for a while.

[IgorMinar]

We should also clarify that these vulnerabilities are not an actual security threat to Angular developers because they affect only tools used for development and not production code.

Having said that we need to resolve these issues regardless because they are confusing and ruin first time experience for Angular users.

[qiyigg]

webdriver-js-extender cannot be removed since we found it is still active, therefore we have to fix it; however the fix is a breaking change might affect lots of existing tests. We are still trying to collect more information to make sure it is ok to make the change.
The fix PR is here

[brgrz]

So npm audit fix --force is not the way to go? Coz it fixes everything and the builds still work :)

[rajarshi-singh]

Can someone please get the potential PR moving and get it fixed? This is breaking our protractor pipeline because the vulnerability is considered as an "error".

[hodo92]

that work for me :
npm set audit false

[rajarshi-singh]

Since the author of the original PR went on vacation and never came back, I have replicated those changes in a new PR here: angular/webdriver-js-extender#20

Someone please take a look.

[lightswitch05]

Any updates on this? I understand it is really only a dev environment issue, but my team is currently reviewing Angular and Vue to decide which to use in a new project. I'm team Angular - but this looks pretty bad straight out of the box in the 'getting started'

[d0vi]

I think it will probably be fixed within the next weeks as the pull request these guys were working was finally merged 4 days ago.

[cahilld]

I'm getting the same. This is great when you are trying to learn Angular for a new job which starts in three days.

npm WARN using --force I sure hope you know what you are doing.
npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
npm WARN deprecated buildmail@4.0.1: This project is unmaintained
npm WARN deprecated uws@9.14.0: stop using this version
⸨ ░░░░░░⸩ ⠹ extract:uws: sill extract form-data@2.0.0

[hansl]

@clydin Protractor just released 4.5.0 which contains fixes for this. Could we try upgrading and see what happens?

[sarunint]

According to karma-runner/karma#3016, log4js@2 will be dropped in karma@3.

[michaelmcandrew]

In case it is useful, here is an issue for npm audit focused on the ability to ignore dev dependencies. It wouldn't stop (for example) the github security warning, but might be part of the solution.

[michael-lang]

I've created a new project with angular CLI 6.0.8 and it comes with these vulnerabilities reported by github out of the box:

adm-zip 0.0.4
hoek 2.16.3
parsejson 0.0.3

Created project with command line:
projectRoot> ng new intro-angular-layouts -g -f --directory .

Sample repo:
https://github.com/NexulAcademy/intro-angular-layouts

[PedroRuiz]

+1

[Georgehatouts]

I have fixed all the warnings by upgrading the karma to version 3.0.0

run npm i karma@3.0.0 --save

proof

found 12 vulnerabilities (9 low, 3 high)
  run `npm audit fix` to fix them, or `npm audit` for details

user@DESKTOP-L33 MINGW64 ~/Documents/Develop/Work/myApp/front-end (develop)
$ npm i karma@3.0.0 --save
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ karma@3.0.0
added 15 packages from 53 contributors, removed 32 packages, updated 22 packages and audited 22939 packages in 8.807s
found 0 vulnerabilities

[PedroRuiz]

@Georgehatouts tones of thanks man!!!!

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}