I've got Ionic Angular project, and today after i installing some npm packages,
it shows found 3 vulnerabilities (1 low, 2 high) message at the end.
And when i run npm audit it returned this,
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular-devkit/build-angular > webpack-dev-server > │
│ │ http-proxy-middleware > http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular-devkit/build-angular > webpack-dev-server > yargs > │
│ │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
and then i ran npm audit --prod,
=== npm audit security report ===
found 0 vulnerabilities
in 78 scanned packages
does it mean, it doesn't affect in production environment ?
And once i access the given link in audit report for more info, it says,
No fix is currently available. Consider using an alternative package until a fix is made available.
So is there any alternatives available for http-proxy package ?
Thanks in advance.
does it mean, it doesn't affect in production environment ?
Yes, it will not affect your prod environment. http-proxy is only used in your dev dependency as you can see in the row "Depenceny of".
So is there any alternatives available for http-proxy package ?
I don't think so since Angular uses it itself. We have to wait until there is an official fix.