Why does Angular app built with Angular CLI give security warning on github, how do I resolve?

Question

I've built two different Angular apps using the CLI and the following command :

ng new <projectName>

Both of the apps give me a warning on GitHub:

We found a potential security vulnerability in one of your dependencies.

Only the owner of this repository can see this message. Manage your notification settings or learn more about security alerts.

When I check the security alert I see:

This is just a library / npm package that is auto-added to the template project.

I'm just learning the new Angular (8.1) and I'm not sure how or if I can remove that default library.

GitHub keeps auto emailing me about this warning and I'm trying to get it to stop. I marked the notifications as read, but it warned me again. Seems like it continues to do this. Do I have to remove the dependency for it to stop?

What I've Tried

I just attempted to remove the lodash dependency simply by deleting the dependency and attempting a rebuild but of course the project requires it and I get an error. Just testing to see if the Angular Template project really does need lodash.

Answer 1

npm keeps track of indirect dependencies in package-lock.json (yarn used yarn.lock).

When you created your Angular-project initially, the most recent version of lodash was picked and added to package-lock.json.

Indirect dependencies are locked in order to ensure that you (or someone else) get the exact same versions everytime npm install is called. Otherwise things may work on your computer, but fail for no obvious reason on the computer of a fellow developer.

But now there is a newer version of lodash, which fixes a security vulnerability. However, the very idea of locking indirect dependencies is to ensure that you will get the exact same version everytime.

If you create a new angular project today, you will end up with the fixed lodash version 4.17.14.

To fix you existing project, please run npm install lodash@^4.17.14