I am getting one of the High vulnerability in angular project is 'Uncontrolled Resource Consumption in ansi-html'.
I have got few more such type of High vulnerabilities but those are fixed by adding 'resolutions' section under package.json file and under scripts section added "preinstall": "npx npm-force-resolutions". Which I had fixed those vulnerabilities came Patched in with version like 'Patched in │ >=4.0.1 ' . But this this came with 'No patch available'. So I am getting bit confuse to fix this. Does anyone have idea, how to fix this? Thanks
If you aren't using ansi-html
directly but rely on dependencies that use it, you should instead set up a resolutions
section in package.json
. (You should never edit package-lock.json
directly since it is regenerated every time you run npm install
). You just need to provide a link to the tarball where you would normally specify the overriding version number. Your resolutions section of package.json
should look like this:
"resolutions": {
"ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
}
Please refer to this post for more details:
Uncontrolled Resource Consumption in ansi-html (CVE-2021-23424) is a vulnerability that won’t be fixed by the project’s author, since it’s been abandoned and there won’t be a patched version of ansi-html.
You just have to go to package-lock.json and find the line with:
"ansi-html": {
"version": "0.0.7",
"resolved": "https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz",
"integrity": "sha1-gTWEAhliqenm/QOflA0S9WynhZ4="
And replace with this:
"ansi-html-community": {
"version": "0.0.8",
"resolved": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz",
"integrity": "sha512-1APHAyr3+PCamwNw3bXCPp4HFLONZt/yIH0sZp0/469KWNTEy+qN5jQ3GVX6DMZ1UXAi34yVwtTeaG/HpBuuzw=="
And this line in the same file:
"dependencies": {
"ansi-html": "^0.0.7",
Replace with:
"dependencies": {
"ansi-html-community": "^0.0.8",
Then just type npm update
and thats it.
You can get more info in this link.
And check the entire commit here.
Updating your Angular to the latest version (Angular 13 is the latest version for now) will solve your problem! Cheers!