Manual Review - Some vulnerabilities require your attention to resolve

Question

npm audit

                       === npm audit security report ===                        

# Run  npm update terser-webpack-plugin --depth 3  to resolve 1 vulnerability

  Moderate        Cross-Site Scripting                                          

  Package         serialize-javascript                                          

  Dependency of   @angular-devkit/build-angular [dev]                           

  Path            @angular-devkit/build-angular > webpack >                     
                  terser-webpack-plugin > serialize-javascript                  

  More info       https://npmjs.com/advisories/1426                             




                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Cross-Site Scripting                                          

  Package         serialize-javascript                                          

  Patched in      >=2.1.1                                                       

  Dependency of   @angular-devkit/build-angular [dev]                           

  Path            @angular-devkit/build-angular > copy-webpack-plugin >         
                  serialize-javascript                                          

  More info       https://npmjs.com/advisories/1426                             


  Moderate        Cross-Site Scripting

  Package         serialize-javascript

  Patched in      >=2.1.1

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > terser-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1426

found 3 moderate severity vulnerabilities in 18591 scanned packages
  run `npm audit fix` to fix 1 of them.
  2 vulnerabilities require manual review. See the full report for details.

package.json

{
  "name": "client",
  "version": "0.0.1",
  "author": "Ionic Framework",
  "homepage": "https://ionicframework.com/",
  "scripts": {
    "ng": "ng",
    "start": "ng serve",
    "build": "ng build",
    "test": "ng test",
    "lint": "ng lint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/common": "8.1.2",
    "@angular/compiler": "8.1.2",
    "@angular/core": "8.1.2",
    "@angular/fire": "5.2.3",
    "@angular/forms": "8.1.2",
    "@angular/platform-browser": "8.1.2",
    "@angular/platform-browser-dynamic": "8.1.2",
    "@angular/router": "8.1.2",
    "@ionic-native/camera": "5.12.0",
    "@ionic-native/contacts": "5.12.0",
    "@ionic-native/core": "5.0.0",
    "@ionic-native/facebook": "5.12.0",
    "@ionic-native/file": "5.12.0",
    "@ionic-native/firebase-x": "5.12.0",
    "@ionic-native/http": "5.13.0",
    "@ionic-native/splash-screen": "5.0.0",
    "@ionic-native/status-bar": "5.0.0",
    "@ionic/angular": "4.11.5",
    "@ionic/storage": "2.2.0",
    "@nomadreservations/ngx-stripe": "1.2.0-beta.0",
    "angular-cropperjs": "1.0.1",
    "cordova-android": "8.0.0",
    "cordova-ios": "5.0.1",
    "cordova-plugin-advanced-http": "2.1.1",
    "cordova-plugin-androidx": "1.0.2",
    "cordova-plugin-androidx-adapter": "1.1.0",
    "cordova-plugin-camera": "4.1.0",
    "cordova-plugin-contacts": "3.0.1",
    "cordova-plugin-device": "2.0.2",
    "cordova-plugin-facebook4": "6.0.0",
    "cordova-plugin-file": "6.0.2",
    "cordova-plugin-firebasex": "6.0.7",
    "cordova-plugin-ionic-keyboard": "2.1.3",
    "cordova-plugin-ionic-webview": "4.1.1",
    "cordova-plugin-splashscreen": "5.0.2",
    "cordova-plugin-statusbar": "2.4.2",
    "cordova-plugin-whitelist": "1.3.3",
    "cordova-sqlite-storage": "^3.4.1",
    "core-js": "2.5.4",
    "firebase": "7.4.0",
    "ionic": "5.4.6",
    "jsurl": "0.1.5",
    "lodash": "^4.17.15",
    "moment": "^2.24.0",
    "ngx-image-cropper": "1.4.1",
    "ngx-moment": "^3.5.0",
    "rxjs": "6.5.3",
    "socket.io": "2.2.0",
    "tslib": "1.10.0",
    "zone.js": "0.9.1"
  },
  "devDependencies": {
    "@angular-devkit/architect": "0.801.2",
    "@angular-devkit/build-angular": "^0.801.2",
    "@angular-devkit/core": "8.1.2",
    "@angular-devkit/schematics": "8.1.2",
    "@angular/cli": "8.1.2",
    "@angular/compiler-cli": "8.1.2",
    "@angular/language-service": "8.1.2",
    "@ionic/angular-toolkit": "^2.1.1",
    "@types/jasmine": "3.3.8",
    "@types/jasminewd2": "2.0.3",
    "@types/node": "8.9.4",
    "codelyzer": "5.0.0",
    "cordova-plugin-device": "2.0.2",
    "cordova-plugin-ionic-keyboard": "2.1.3",
    "cordova-plugin-ionic-webview": "4.1.1",
    "cordova-plugin-splashscreen": "5.0.2",
    "cordova-plugin-statusbar": "2.4.2",
    "cordova-plugin-whitelist": "1.3.3",
    "jasmine-core": "3.4.0",
    "jasmine-spec-reporter": "4.2.1",
    "karma": "4.1.0",
    "karma-chrome-launcher": "2.2.0",
    "karma-coverage-istanbul-reporter": "2.0.1",
    "karma-jasmine": "2.0.1",
    "karma-jasmine-html-reporter": "1.4.0",
    "protractor": "5.4.0",
    "ts-node": "7.0.0",
    "tslint": "5.15.0",
    "typescript": "3.4.5"
  },
  "description": "An Ionic project",
  "cordova": {
    "plugins": {
      "cordova-plugin-whitelist": {},
      "cordova-plugin-statusbar": {},
      "cordova-plugin-device": {},
      "cordova-plugin-splashscreen": {},
      "cordova-plugin-ionic-webview": {
        "ANDROID_SUPPORT_ANNOTATIONS_VERSION": "27.+"
      },
      "cordova-plugin-ionic-keyboard": {},
      "cordova-plugin-camera": {
        "ANDROID_SUPPORT_V4_VERSION": "27.+"
      },
      "cordova-plugin-firebasex": {
        "ANDROID_ICON_ACCENT": "#FF00FFFF",
        "ANDROID_PLAY_SERVICES_TAGMANAGER_VERSION": "17.0.0",
        "ANDROID_FIREBASE_CORE_VERSION": "17.0.0",
        "ANDROID_FIREBASE_MESSAGING_VERSION": "19.0.0",
        "ANDROID_FIREBASE_CONFIG_VERSION": "18.0.0",
        "ANDROID_FIREBASE_PERF_VERSION": "18.0.0",
        "ANDROID_FIREBASE_AUTH_VERSION": "18.0.0",
        "ANDROID_CRASHLYTICS_VERSION": "2.10.1",
        "ANDROID_CRASHLYTICS_NDK_VERSION": "2.1.0",
        "ANDROID_SHORTCUTBADGER_VERSION": "1.1.22"
      },
      "cordova-plugin-contacts": {},
      "cordova-plugin-advanced-http": {
        "OKHTTP_VERSION": "3.10.0"
      },
      "cordova-plugin-facebook4": {
        "APP_ID": "412958516026250",
        "APP_NAME": "Peeps",
        "FACEBOOK_HYBRID_APP_EVENTS": "false",
        "FACEBOOK_ANDROID_SDK_VERSION": "5.2.0"
      },
      "cordova-sqlite-storage": {}
    },
    "platforms": [
      "ios",
      "android"
    ]
  }
}

Cross-Site Scripting serialize-javascript

npm doc: https://www.npmjs.com/advisories/1426

It says this:

Overview

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Remediation

Upgrade to version 2.1.1 or later.

But I'm not using serialize-javascript on package.json file. How can I fix this?

Answer 1

OP's feedback

We need to add this too:

"scripts": {
    "preinstall": "npx npm-force-resolutions"
}

Original

This seems to be related to an Angular dependency, and seems pretty new to me so maybe it will be resolved soon by the Angular Team. As a workaround, try to "resolve" the dependency on your own.

First you'll need a third party helper: https://github.com/rogeriochaves/npm-force-resolutions

Then on your package.json add:

 "resolutions": {
    "serialize-javascript": "^2.1.1"
  }

Finally:

rm -r node_modules
npx npm-force-resolutions
npm install