Angular project generates moderate and high vulnerabilities

[hfournier]

Describe the bug

Angular 11.2.14 project generates moderate and high vulnerabilities after upgrading to netlify-cli 3.38.7

To Reproduce

Steps to reproduce the behavior:

1. Updated from netlify-cli 3.31.16 to 3.38.7

Configuration

• If possible, please copy/paste below your netlify.toml.

[build]
publish = "dist/myproject"
command = "npm run build"
functions = "functions"
[[redirects]]
from = "/*"
to = "/index.html"
status = 200

• Please enter the following command in a terminal and copy/paste its output:

npx envinfo --system --binaries --npmPackages netlify-cli --npmGlobalPackages netlify-cli

  System:
    OS: Windows 10 10.0.19043
    CPU: (8) x64 Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
    Memory: 3.53 GB / 15.86 GB
  Binaries:
    Node: 14.17.0 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.10 - ~\Documents\Develop\Websites\MTBco25\node_modules\.bin\yarn.CMD
    npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
  npmPackages:
    netlify-cli: ^3.38.7 => 3.38.7

Expected behavior

There should be no vulnerabilities

Additional context

  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   netlify-cli [dev]                                             

  Path            netlify-cli > @netlify/build > @netlify/functions-utils >     
                  cpy > globby > fast-glob > glob-parent                        

  More info       https://npmjs.com/advisories/1751  

  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   netlify-cli [dev]                                             

  Path            netlify-cli > gh-release-fetch > download > got >             
                  cacheable-request > normalize-url                             

  More info       https://npmjs.com/advisories/1755   

[erezrokah]

Related to https://github.com/kevva/download/pull/212#issuecomment-859738070

[simplenotsimpler]

npm install netlify-cli --save-dev

Still an issue in 6.3.5. According to the npm audit, this has been an issue since 2.38.0.

glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/netlify-cli/node_modules/cpy/node_modules/glob-parent
fast-glob <=2.2.7 Depends on vulnerable versions of glob-parent node_modules/netlify-cli/node_modules/cpy/node_modules/fast-glob
globby 8.0.0 - 9.2.0 Depends on vulnerable versions of fast-glob node_modules/netlify-cli/node_modules/cpy/node_modules/globby
cpy >=7.0.0 Depends on vulnerable versions of globby node_modules/netlify-cli/node_modules/cpy @netlify/cache-utils * Depends on vulnerable versions of cpy node_modules/netlify-cli/node_modules/@netlify/cache-utils
@netlify/build >=0.1.31 Depends on vulnerable versions of @netlify/cache-utils
Depends on vulnerable versions of @netlify/functions-utils
node_modules/netlify-cli/node_modules/@netlify/build netlify-cli >=2.38.0 Depends on vulnerable versions of @netlify/build node_modules/netlify-cli @netlify/functions-utils * Depends on vulnerable versions of cpy node_modules/netlify-cli/node_modules/@netlify/functions-utils

8 moderate severity vulnerabilities

Title should be updated - not just an angular thing.

[ChadEubanks]

@hfournier Please confirm with the latest version of the CLI that this is still occurring.