Vulnerability in glob-parent : angular-devkit, angular-compiler, eslint - does it compromise prod build?

Question

I have vulnerability reported by npm audit in glob-parent package.

When I run npm ls glob-parent I get this:

+-- @angular-devkit/[email protected]
| +-- [email protected]
| | +-- [email protected]
| | | `-- [email protected]
| | `-- [email protected] deduped
| `-- [email protected]
|   `-- [email protected]
|     `-- [email protected]
+-- @angular/[email protected]
| `-- [email protected]
|   `-- [email protected]
+-- [email protected]
| `-- [email protected]
`-- [email protected]

I read it as this glob-parent is being used in

@angular-devkit/build-angular
@angular/compiler-cli
eslint

Is my understanding correct?

If yes when my question is - are these packages used in a prod environment (I mean devkit, compiler, lint - doesnt sound like they are needed after the app is build)?

Or more simply - will the glob-parent vulnerability expose my prod system anyhow?

Versions:

Angular CLI: 12.1.0
Node: 14.17.0
Package Manager: npm 7.14.0
OS: win32 x64

Angular: 12.1.0
... animations, cli, common, compiler, core, forms
... platform-browser, platform-browser-dynamic, platform-server
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1201.0
@angular-devkit/build-angular   12.1.0
@angular-devkit/core            12.1.0
@angular-devkit/schematics      12.1.0
@angular/compiler-cli           12.1.1
@angular/language-service       12.1.1
@schematics/angular             12.1.0
rxjs                            6.6.7
typescript                      4.2.4

Answer 1

That's a good question. While your usage is not the same as someone else's, and there's no definitive way someone else can answer this for you, they can venture a guess:

If you look at each package, you can see if you are using it in a prod environment, in a way that an attacker can expose the vulnerability:

@angular-devkit/build-angular -> copy-webpack-plugin -> fast-glob
@angular/compiler-cli -> chokidar
eslint

I would think eslint is just for your developer environment.

I would also think build-angular which is used by the angular-cli is for your developer environment.

It also looks like compiler-cli is an Angular internal.

Also -- are these in your dependencies or devDependencies? Read this article for background on usage of those sections, but the summary probably rings true for you and most users:

unless you’re confident that every dependency is in the right place, it might be advisable to treat all security alerts for vulnerabilities in dependencies the same way, regardless of whether they are for a dependency or devDependency.

So if you have a vulnerability, treat it as a production vulnerability, unless you are confident it's strictly for your development process.