codelyzer icon indicating copy to clipboard operation
codelyzer copied to clipboard
verified publisher icon mgechev

@angular/core 9.0.0 dependency causes a circular security vulnerability

Open beneccles opened this issue 1 year ago • 0 comments

Describe the bug

While working to fix security vulnerabilities in my own project, Codelyzer 6.0.02 gets flagged for Cross Site Scripting in Angular.. Trying to use npm audit fix --force will cause npm to install Codelyzer 0.0.28 for some strange reason. After the first run of npm audit fix --force, vulnerabilities for tslint, minimist, and optimist are flagged by npm. Running npm audit fix --force again will cause the vulnerabilities to revert back to the original vulnerability that suggests installing Codelyzer 0.0.28. Checking Codelyzer's current required version of @angular/core shows that it depends on Angular 9, which is an angular version flagged by the vulnerability link I mentioned above.

Context and configuration

Please share: Bug is caused by dependency on Angular 9.

To Reproduce Run npm install on a project running Angular 18 (or version 11 or higher) & Codelyzer 6.0.02, and follow npm's inline suggestions for fixing vulnerabilities. (see description above).

Expected behavior Codelyzer should not cause security vulnerabilities when used with the latest version of Angular.

Code

npm install npm audit fix --force

Environment

  • Version 6.0.1
  • OS: MacOS Sonoma 14.4.1
  • Node.js version: 22.11.0
  • Package manager (yarn/npm) version: 10.9.0
  • Angular version: 18.2.11
  • tslint version: 5.20.1

beneccles avatar Nov 07 '24 19:11 beneccles