Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-proxy-middleware outdated (Mend vulnerability CVE-2024-21536) #28680

Closed
1 task
Devvox93 opened this issue Oct 21, 2024 · 4 comments · Fixed by #28691 or #28692
Closed
1 task

http-proxy-middleware outdated (Mend vulnerability CVE-2024-21536) #28680

Devvox93 opened this issue Oct 21, 2024 · 4 comments · Fixed by #28691 or #28692

Comments

@Devvox93
Copy link

Command

other

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

build-angular 18.2.9 (and earlier versions) reference http-proxy-middleware 3.0.0, which contains a vulnerability.
There is a version 3.0.3 that includes a fix.
For more info, please see: https://dnb.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2024-21536

Minimal Reproduction

Use the latest angular packages (build-angular 18.2.9 at the moment of writing) and scan for vulnerabilities with a tool (like Whitesource Mend).

Exception or Error

No response

Your Environment

Angular CLI: 18.2.9
Node: 20.16.0
Package Manager: npm 10.8.3
OS: win32 x64

Angular: 18.2.8
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1802.9
@angular-devkit/build-angular 18.2.9
@angular-devkit/core 18.2.9
@angular-devkit/schematics 18.2.9
@angular/cli 18.2.9
@schematics/angular 18.2.9
rxjs 7.8.1
typescript 5.5.4
zone.js 0.14.10

Anything else relevant?

It's not a major issue, since it's on a dev-dependency, but nevertheless it is flagged as a High impact vulnerability (raising red flags and blocks) in our organization and seems like an easy fix to update in build-angular.

@AlejandroGimenezAxa
Copy link

Hi, @angular/devkit-repo in v17 (17.3.9) points to http-proxy-middleware v2.0.6, that also has this problem. v2.0.7 has a fix too and it would be great to update it.

@alan-agius4
Copy link
Collaborator

Closed via #28692 and #28691

@anonymous-10101
Copy link

Is 18.2.9 version of angular js s vulnerable ?

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Dec 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.