npm audit
run on my project and got me this
High Command Injection
Dependency of @angular-devkit/build-angular [dev]Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > tree-kill
More info https://npmjs.com/advisories/1432
Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?
You can fix this without waiting for a new version of the package @angular-devkit/build-angular
.
Just do the following steps:
package.json
file by adding resolutions
section with proper version of package tree-kill
:"resolutions": {
"tree-kill": "1.2.2"
}
package-lock.json
by running command:npx npm-force-resolutions
rm -r node_modules
npm install
Run npm audit
to check that your project does not have anymore this problem. And don't forget to commit modified files package.json
and package-lock.json
.
More information about NPM Force Resolutions.