Npm install of karma-angular-filesort installs wrong version of subdependencies.

cli

(Adam Jaffe Back) #1

What I Wanted to Do

After npm install --save-dev karma-angular-filesort, npm audit should return with no security vulnerabilities. karma-angular-filesort sub-dependency ng-dependencies@0.8.1 should be installed which contains the most up-to-date security patch of lodash.

What Happened Instead

After npm install --save-dev karma-angular-filesort, npm prints “found 1 low severity vulnerability” in the console. npm audit shows the vulnerability.

ng-dependencies version 0.3.0 is installed per package-lock.json instead of the most up-to-date, published release 0.8.1. Version 0.3.0 requires a version of lodash with a vulnerability, whereas the most recent release does not.

"ng-dependencies": {
      "version": "0.3.0",
      "resolved": "https://registry.npmjs.org/ng-dependencies/-/ng-dependencies-0.3.0.tgz",
      "integrity": "sha1-/2liqnez3f+bS7ZJb5ThbftsgSE=",
      "dev": true,
      "requires": {
        "esprima": "^2.6.0",
        "estraverse": "^1.5.1",
        "lodash": "^3.0.1"
      }
    },

Reproduction Steps

mkdir auditFalsePositive
cd auditFalsePositive/
npm init
npm install --save-dev karma-angular-filesort
npm audit

Details

karma-angular-filesort@1.0.2 (latest version) requires ng-dependencies ^0.3.0 which should resolve to 0.8.1. ng-dependencies@0.8.1 requires lodash@4.0.0, which is patched and should not cause a security vulnerability alert with npm audit

No npm-debug.log generated.

Thank you so much for your help!

Platform Info

$ npm --versions
{ karmatest: '1.0.0',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  http_parser: '2.7.0',
  icu: '57.1',
  modules: '48',
  node: '6.9.4',
  openssl: '1.0.2j',
  uv: '1.9.1',
  v8: '5.1.281.89',
  zlib: '1.2.8' }
$ node -p process.platform
darwin

(Lars Willighagen) #2

The caret range (^0.3.0) actually doesn’t resolve to 0.8.1 (at least in npm). The range

Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0 , and no updates for versions 0.0.X .
source

So this range would resolve to the highest version in 0.3.X.


(Adam Jaffe Back) #3

Thanks so much Lars! I knew it was an error on my behalf…thanks for citing the documentation for my learning benefit.


(system) #4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.