Skip to content

fix: address devDependencies audit vulnerabilities (sassdoc, gulp-shell) #16534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix: address devDependencies audit vulnerabilities (sassdoc, gulp-shell) #16534

Copilot wants to merge 5 commits into from
+612 −877

Conversation

Copy link
Contributor

Copilot AI commented Nov 27, 2025
edited by Lipata
Loading

Closes #16533

Fixes npm audit vulnerabilities in devDependencies (sassdoc, gulp-shell) by removing unused packages and adding npm overrides for transitive dependencies.

Changes:

  1. Removed gulp-shell: The package was not used anywhere in the codebase and had a high severity vulnerability (lodash.template command injection - GHSA-35jh-r3h4-6jhm)

  2. Added npm overrides for sassdoc vulnerabilities: Fixed transitive dependency vulnerabilities in sassdoc using simplified override format:

    • got → ^11.8.6 (moderate severity)
    • html-minifier → html-minifier-terser@^7.0.0 (high severity)
    • marked → ^4.2.5 (high severity)
    • semver-regex → ^4.0.5 (high severity)

  3. Fixed package.json and package-lock.json alignment: Simplified the overrides format from nested objects to direct package overrides to ensure proper alignment between package.json and package-lock.json.

Audit Results:

  • Before: 19 vulnerabilities (4 moderate, 15 high)
  • After: 3 vulnerabilities (3 low severity)

The remaining 3 low severity vulnerabilities are in sassdoc-extras itself (prototype pollution), for which there is no patched version available. These are in devDependencies only and do not affect the production library.

Note: Angular package updates are handled separately in PR #16535 via ng update.

Additional information (check all that apply):

  • Bug fix
  • New functionality
  • Documentation
  • Demos
  • CI/CD

Checklist:

  • All relevant tags have been applied to this PR
  • This PR includes unit tests covering all the new code (test guidelines)
  • This PR includes API docs for newly added methods/properties (api docs guidelines)
  • This PR includes feature/README.MD updates for the feature docs
  • This PR includes general feature table updates in the root README.MD
  • This PR includes CHANGELOG.MD updates for newly added functionality
  • This PR contains breaking changes
  • This PR includes ng update migrations for the breaking changes (migrations guidelines)
  • This PR includes behavioral changes and the feature specification has been updated with them
Original prompt

This section details on the original issue you should resolve

<issue_title>Npm audit failure in the 20.1.x branch</issue_title>
<issue_description>## Description
There are some severe audit issues, which gives us problems in our pipeline.

Steps to reproduce

  1. Check out the 20.1.x branch
  2. npm audit

Result

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm.
npm warn Unknown user config "always-auth" (//packages.infragistics.com/npm/js-licensed/:always-auth). This will stop working in the next major version of npm.
# npm audit report

@angular/common  20.0.0-next.0 - 20.3.13
Severity: high
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client - https://github.com/advisories/GHSA-58c5-g7wp-6w37
fix available via `npm audit fix`
node_modules/@angular/common
  @angular/forms  4.4.0-RC.0 - 4.4.0 || 20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/forms
  @angular/platform-browser  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  node_modules/@angular/platform-browser
  @angular/platform-browser-dynamic  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/platform-browser-dynamic
  @angular/platform-server  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/platform-server
  @angular/router  10.0.0-next.0 - 10.0.0-rc.1 || 20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/router

astro  <=5.15.8
Severity: high
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - https://github.com/advisories/GHSA-hr2q-hp5q-x767
Astro vulnerable to reflected XSS via the server islands feature - https://github.com/advisories/GHSA-wrwg-2hg8-v723
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - https://github.com/advisories/GHSA-fvmw-cj7j-j39q
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - https://github.com/advisories/GHSA-ggxq-hp9w-j794
Astro development server error page is vulnerable to reflected Cross-site Scripting - https://github.com/advisories/GHSA-w2vj-39qv-7vh7
fix available via `npm audit fix`
node_modules/astro

body-parser  2.2.0
Severity: moderate
body-parser is vulnerable to denial of service when url encoding is used - https://github.com/advisories/GHSA-wqch-xfxh-vrr4
fix available via `npm audit fix`
node_modules/express/node_modules/body-parser

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/gulp-typescript/node_modules/brace-expansion
node_modules/istanbul/node_modules/brace-expansion
node_modules/karma-coverage/node_modules/brace-expansion
node_modules/karma/node_modules/brace-expansion
node_modules/rimraf/node_modules/brace-expansion
node_modules/safe-wipe/node_modules/brace-expansion
node_modules/sassdoc/node_modules/brace-expansion

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@npmcli/package-json/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jasmine/node_modules/glob

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97   
fix available via `npm audit fix --force`
Will install sassdoc@1.10.12, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        sassdoc  >=1.0.1
        Depends on vulnerable versions of sass-convert
        Depends on vulnerable versions of sassdoc-theme-default
        Depends on vulnerable versions of update-notifier
        node_modules/sassdoc

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6...

</details>

- Fixes IgniteUI/igniteui-angular#16533

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Copilot AI self-assigned this Nov 27, 2025
@Lipata
fix: update Angular dependencies to 21.0.1 to fix XSRF Token Leakage …
ff98c92 
…vulnerability

Co-authored-by: Lipata <2621802+Lipata@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix npm audit failure in 20.1.x branch fix: update Angular dependencies to 21.0.1 to fix XSRF Token Leakage vulnerability Nov 27, 2025
Copilot AI requested a review from Lipata November 27, 2025 13:44
Copilot finished work on behalf of Lipata November 27, 2025 13:44
@Lipata
Copy link
Member

Lipata commented Nov 27, 2025

@copilot I've updated all the Angular packages, using the ng update command (here is the PR), which is a better option, because it also runs migrations. Please revert all the changes in this PR and work on all the vulnerabilities that are in devDependencies only (sassdoc, gulp-shell) even they require breaking changes.

@Lipata
fix: address devDependencies audit vulnerabilities (sassdoc, gulp-shell)
c38e08b 
Co-authored-by: Lipata <2621802+Lipata@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 27, 2025
edited
Loading

@copilot I've updated all the Angular packages, using the ng update command (here is the PR), which is a better option, because it al...

Reverted the Angular package updates and fixed the devDependencies vulnerabilities in commit c38e08b:

  1. Removed gulp-shell - unused package with high severity vulnerability (lodash.template command injection)
  2. Added npm overrides for sassdoc - fixed transitive dependency vulnerabilities:
    • got → ^11.8.6 (moderate)
    • html-minifier → html-minifier-terser@^7.0.0 (high)
    • marked → ^4.2.5 (high)
    • semver-regex → ^4.0.5 (high)

Audit results: 19 vulnerabilities (4 moderate, 15 high) → 3 low severity vulnerabilities (sassdoc-extras prototype pollution with no patched version available)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: /usr/local/bin/node node scripts/build-sassdoc.mjs --environment=production (dns block)
  • www.infragistics.com
    • Triggering command: /usr/local/bin/node node scripts/build-sassdoc.mjs --environment=production (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: update Angular dependencies to 21.0.1 to fix XSRF Token Leakage vulnerability fix: address devDependencies audit vulnerabilities (sassdoc, gulp-shell) Nov 27, 2025
Copilot finished work on behalf of Lipata November 27, 2025 14:09
@Lipata Lipata requested a review from damyanpetev November 27, 2025 14:12
@Lipata
Copy link
Member

Lipata commented Dec 1, 2025

@copilot, please fix the misalignment between pacakge.json and package-lock.json.

@Lipata Lipata marked this pull request as ready for review December 1, 2025 21:59
@Lipata
fix: align package.json and package-lock.json with simplified overrid…
033a429 
…es format

Co-authored-by: Lipata <2621802+Lipata@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 1, 2025
edited
Loading

@copilot, please fix the misalignment between pacakge.json and package-lock.json.

Fixed in commit 033a429. The nested overrides format wasn't working correctly, so I simplified it to direct package overrides which properly align package.json and package-lock.json. npm audit now reports only 3 low severity vulnerabilities.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: /usr/local/bin/node node scripts/build-sassdoc.mjs --environment=production (dns block)
  • www.infragistics.com
    • Triggering command: /usr/local/bin/node node scripts/build-sassdoc.mjs --environment=production (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of Lipata December 1, 2025 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lipata Lipata Awaiting requested review from Lipata

@damyanpetev damyanpetev Awaiting requested review from damyanpetev

At least 1 approving review is required to merge this pull request.

Assignees

@Lipata Lipata

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Npm audit failure in the 20.1.x branch

2 participants

@Lipata