Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Angular Update Package CSS-WHAT

Tags:

npm

angular

I have the following angular setup:

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 12.0.3
Node: 14.17.0
Package Manager: npm 7.16.0
OS: win32 x64

Angular: 12.0.4
... animations, cdk, common, compiler, compiler-cli, core, forms
... localize, material, platform-browser
... platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1200.3
@angular-devkit/build-angular   0.1102.14
@angular-devkit/core            12.0.3
@angular-devkit/schematics      12.0.3
@angular/cli                    12.0.3
@schematics/angular             12.0.3
rxjs                            6.6.7
typescript                      4.2.4

I am having issue when running, npm audit --audit-level high. It is returning a few issue and one of them is the following:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  >=4.0.0-nightly.2020.1.9
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            @angular-devkit/build-angular  *
            Depends on vulnerable versions of @angular-devkit/build-webpack
            Depends on vulnerable versions of resolve-url-loader
            Depends on vulnerable versions of webpack
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@angular-devkit/build-angular

I run the following update to attempt resolve the issue,

npm update css-what

but i still get the same issue.

Can anyone help me here? How do i resolve the audit warning?

like image 677
Stephen Cossgrove Avatar asked Jun 10 '21 03:06

Stephen Cossgrove


People also ask

Does angular use PostCSS?

Angular v11. 2 added native support for running TailwindCSS PostCSS with the Angular CLI.

Can't find module angular Devkit build angular?

To solve the error "Could not find module '@angular-devkit/build-angular'", make sure to install the package by opening your terminal in your project's root directory and running the following command: npm i -D @angular-devkit/build-angular and restart your IDE and development server.

How do I update my local version of angular commands?

Update Angular CLI version GloballyFirst uninstall the existing Angular cli packages. Then run npm cache verify command to clear the node packages cache. Then install latest Angular CLI version using npm install -g @angular/cli@latest command.

How do I upgrade a package in angular?

How to Upgrade Angular Packages 1 Auto Upgrade. You may be able to update your project using the ng update command. ... 2 Manual Upgrade. You can manually upgrade Angular’s most common packages using the commands below. ... 3 Enabling Ivy. Refer to the official Angular Ivy guide if you run into issues. ...

How do I update angular core to latest release?

Perform a basic update to the current stable release of the core framework and CLI by running the following command. content_copy. ng update @angular/cli @angular/core. To update to the next beta or pre-release version, use the --next option. To update from one major version to another, use the format.

What is ng update in angular CLI?

In upcoming versions, Angular CLI will introduce the ng update command to help update Angular applications. As soon as more details are available, we’ll provide you with a follow-up article on how this new command can make our lives even easier.

How do I download and install the Angular framework?

The Angular Framework, Angular CLI, and components used by Angular applications are packaged as npm packages and distributed using the npm registry. You can download and install these npm packages by using the npm CLI client, which is installed with and runs as a Node.js® application. By default, the Angular CLI uses the npm client.


1 Answers

I am having identical issue and I couldn't find a solution to this vulnerability.

I've found out that you simply CAN NOT directly manually update css-what

npm install @angular-devkit/build-angular@latest
// or
npm install css-what@latest

because css-select is indirect dependancy.

The latest possible version that can be installed is 4.0.0 because of the following conflicting dependency:

@angular-devkit/[email protected] requires css-what@^4.0.0 via a transitive dependency on [email protected] The earliest fixed version is 5.0.1.

This dependancy HASN'T been fixed in @angular-devkit/[email protected] either.

There are also threads about it: https://github.com/angular/angular-cli/issues/21185

like image 163
Timothy Avatar answered Oct 07 '22 19:10

Timothy