Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sdrangelspectrum broken docker image build (angular/core version updated) #43

Open
upya4ko opened this issue Jan 4, 2023 · 0 comments
Open

sdrangelspectrum broken docker image build (angular/core version updated) #43

upya4ko opened this issue Jan 4, 2023 · 0 comments

Comments

@upya4ko
Copy link

upya4ko commented Jan 4, 2023
edited
Loading

It seems related to Bump @angular/core from 9.1.4 to 11.0.5

Reproduce problem:

git clone https://github.com/f4exb/sdrangel-docker.git
cd sdrangel-docker/sdrangelspectrum
./build.sh

Error from build:

Dockerfile:25
--------------------
  24 |     WORKDIR /opt/build/sdrangelspectrum
  25 | >>> RUN npm install \
  26 | >>>     && ng build --prod \
  27 | >>>     && mv dist /opt/build \
  28 | >>>     && rm -rf *
  29 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c npm install     && ng build --prod     && mv dist /opt/build     && rm -rf *" did not complete successfully: exit code: 3

When i run step by step manual by hands it broke on command npm install

root@904886394ab1:/sdrangelspectrum# npm install
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 
npm WARN deprecated [email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: The functionality that this package provided is now in @npmcli/arborist
npm WARN deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: This module is not used anymore, npm uses minipass-fetch for its fetch implementation now
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: Please update to ini >=1.3.6 to avoid a prototype pollution issue
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: We have news to share - Protractor is deprecated and will reach end-of-life by Summer 2023. To learn more and find out about other options please refer to this post on the Angular blog. Thank you for using and contributing to Protractor. https://goo.gle/state-of-e2e-in-angular
npm WARN deprecated @schematics/[email protected]: This was an internal-only Angular package up through Angular v11 which is no longer used or maintained. Upgrade Angular to v12+ to remove this dependency.
npm WARN deprecated [email protected]: TSLint has been deprecated in favor of ESLint. Please see https://github.com/palantir/tslint/issues/4534 for more information.
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1396 packages, and audited 1397 packages in 46s

54 packages are looking for funding
  run `npm fund` for details

67 vulnerabilities (2 low, 22 moderate, 34 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Report:

root@904886394ab1:/sdrangelspectrum# npm audit
# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/ajv
  @angular-devkit/build-angular  <=13.3.1 || 14.0.0-next.0 - 14.0.0-rc.3
  Depends on vulnerable versions of @angular-devkit/architect
  Depends on vulnerable versions of @angular-devkit/build-optimizer
  Depends on vulnerable versions of @angular-devkit/build-webpack
  Depends on vulnerable versions of @angular-devkit/core
  Depends on vulnerable versions of @ngtools/webpack
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of copy-webpack-plugin
  Depends on vulnerable versions of loader-utils
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of terser
  Depends on vulnerable versions of terser-webpack-plugin
  Depends on vulnerable versions of webpack-dev-server
  Depends on vulnerable versions of webpack-subresource-integrity
  node_modules/@angular-devkit/build-angular
  @angular-devkit/core  0.0.24 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
  Depends on vulnerable versions of ajv
  node_modules/@angular-devkit/core
    @angular-devkit/architect  <=0.803.28 || 0.900.0-next.0 - 0.901.11 || 0.1000.0-next.0 - 0.1000.3
    Depends on vulnerable versions of @angular-devkit/core
    node_modules/@angular-devkit/architect
      @angular/cli  1.5.6 || 1.6.4 - 9.1.12 || 10.0.0-next.0 - 10.2.0 || 11.0.0-next.0 - 11.0.4 || 11.1.0-next.0 - 11.1.0-rc.0 || 14.1.0-next.0 - 14.1.0-rc.3
      Depends on vulnerable versions of @angular-devkit/architect
      Depends on vulnerable versions of @angular-devkit/core
      Depends on vulnerable versions of @angular-devkit/schematics
      Depends on vulnerable versions of @schematics/angular
      Depends on vulnerable versions of @schematics/update
      Depends on vulnerable versions of ini
      node_modules/@angular/cli
    @angular-devkit/build-webpack  <=0.803.28 || 0.900.0-next.0 - 0.901.11 || 0.1000.0-next.0 - 0.1000.3
    Depends on vulnerable versions of @angular-devkit/architect
    Depends on vulnerable versions of @angular-devkit/core
    node_modules/@angular-devkit/build-webpack
    @angular-devkit/schematics  0.0.43 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
    Depends on vulnerable versions of @angular-devkit/core
    node_modules/@angular-devkit/schematics
    @ngtools/webpack  6.0.0-beta.2 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
    Depends on vulnerable versions of @angular-devkit/core
    node_modules/@ngtools/webpack
    @schematics/angular  0.1.12 - 8.3.28 || 9.0.0-next.0 - 9.1.11 || 10.0.0-next.0 - 10.0.3
    Depends on vulnerable versions of @angular-devkit/core
    Depends on vulnerable versions of @angular-devkit/schematics
    node_modules/@schematics/angular
    @schematics/update  <=0.901.12 || 0.1000.0-next.0 - 0.1002.0 || 0.1100.0-next.0 - 0.1100.4 || 0.1101.0-next.0 - 0.1101.0-rc.0
    Depends on vulnerable versions of @angular-devkit/core
    Depends on vulnerable versions of @angular-devkit/schematics
    Depends on vulnerable versions of ini
    node_modules/@schematics/update

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  Depends on vulnerable versions of sockjs
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server

ansi-regex  3.0.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/@angular/compiler-cli/node_modules/ansi-regex
node_modules/cliui/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/ora/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/browserslist

color-string  <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string

decode-uri-component  <0.2.1
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

dns-packet  <1.3.2
Severity: high
Potential memory exposure in dns-packet - https://github.com/advisories/GHSA-3wcq-x3mq-6r9p
fix available via `npm audit fix`
node_modules/dns-packet

elliptic  <=6.5.3
Severity: high
Signature Malleabillity in elliptic - https://github.com/advisories/GHSA-vh7m-p724-62c2
Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/elliptic

engine.io  4.0.0 - 6.2.0
Severity: moderate
Uncaught exception in engine.io - https://github.com/advisories/GHSA-r7qp-cfhv-p84w
fix available via `npm audit fix`
node_modules/engine.io
  socket.io  3.0.0-rc1 - 4.4.1
  Depends on vulnerable versions of engine.io
  node_modules/socket.io

eventsource  <1.1.1
Severity: critical
Exposure of Sensitive Information in eventsource - https://github.com/advisories/GHSA-6h5x-7c5m-7cr7
fix available via `npm audit fix`
node_modules/eventsource

express  <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/express

follow-redirects  <=1.14.7
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix`
node_modules/follow-redirects

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/chokidar/node_modules/glob-parent
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack  0.2.2 - 1.6.1
    Depends on vulnerable versions of chokidar
    node_modules/watchpack
  copy-webpack-plugin  4.3.0 - 5.1.2
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin

hosted-git-info  <2.8.9 || >=3.0.0 <3.0.8
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info
node_modules/normalize-package-data/node_modules/hosted-git-info
node_modules/npm-registry-fetch/node_modules/hosted-git-info
node_modules/pacote/node_modules/hosted-git-info

http-proxy  <1.18.1
Severity: high
Denial of Service in http-proxy - https://github.com/advisories/GHSA-6x33-pw7p-hmpq
fix available via `npm audit fix`
node_modules/http-proxy

ini  <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/ini
node_modules/watchpack/node_modules/fsevents/node_modules/ini
node_modules/webpack-dev-server/node_modules/fsevents/node_modules/ini

is-svg  2.1.0 - 4.2.2
Severity: high
ReDOS in IS-SVG - https://github.com/advisories/GHSA-r8j5-h5cx-65gg
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-7r28-3m3f-r2pr
fix available via `npm audit fix`
node_modules/is-svg
  postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
  Depends on vulnerable versions of is-svg
  Depends on vulnerable versions of svgo
  node_modules/postcss-svgo

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

json5  <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@jsdevtools/coverage-istanbul-loader/node_modules/json5
node_modules/babel-loader/node_modules/json5
node_modules/copy-webpack-plugin/node_modules/json5
node_modules/css-loader/node_modules/json5
node_modules/json5
node_modules/less-loader/node_modules/json5
node_modules/mini-css-extract-plugin/node_modules/json5
node_modules/postcss-loader/node_modules/json5
node_modules/raw-loader/node_modules/json5
node_modules/sass-loader/node_modules/json5
node_modules/source-map-loader/node_modules/json5
node_modules/style-loader/node_modules/json5
node_modules/stylus-loader/node_modules/json5
node_modules/webpack/node_modules/json5
node_modules/worker-plugin/node_modules/json5

jszip  3.0.0 - 3.6.0
Severity: moderate
Prototype Pollution - https://github.com/advisories/GHSA-jg8v-48h5-wgxg
fix available via `npm audit fix`
node_modules/jszip

loader-utils  <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/@jsdevtools/coverage-istanbul-loader/node_modules/loader-utils
node_modules/babel-loader/node_modules/loader-utils
node_modules/copy-webpack-plugin/node_modules/loader-utils
node_modules/css-loader/node_modules/loader-utils
node_modules/less-loader/node_modules/loader-utils
node_modules/loader-utils
node_modules/mini-css-extract-plugin/node_modules/loader-utils
node_modules/postcss-loader/node_modules/loader-utils
node_modules/raw-loader/node_modules/loader-utils
node_modules/sass-loader/node_modules/loader-utils
node_modules/source-map-loader/node_modules/loader-utils
node_modules/style-loader/node_modules/loader-utils
node_modules/stylus-loader/node_modules/loader-utils
node_modules/webpack/node_modules/loader-utils
node_modules/worker-plugin/node_modules/loader-utils
  @angular-devkit/build-optimizer  0.901.0-next.0 - 0.1200.0-rc.3
  Depends on vulnerable versions of loader-utils
  node_modules/@angular-devkit/build-optimizer

lodash  <=4.17.20
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/minimatch
node_modules/watchpack/node_modules/fsevents/node_modules/minimatch
node_modules/webpack-dev-server/node_modules/fsevents/node_modules/minimatch

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
node_modules/watchpack/node_modules/fsevents/node_modules/minimist
node_modules/webpack-dev-server/node_modules/fsevents/node_modules/minimist

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

npm-registry-fetch  <4.0.5
Severity: moderate
Sensitive information exposure through logs in npm-registry-fetch - https://github.com/advisories/GHSA-jmqm-f2gx-4fjv
fix available via `npm audit fix`
node_modules/npm-registry-fetch

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

postcss  <=7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/postcss

qs  6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/body-parser/node_modules/qs
node_modules/express/node_modules/qs
node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/body-parser

serialize-javascript  <3.1.0
Severity: high
Insecure serialization leading to RCE in serialize-javascript - https://github.com/advisories/GHSA-hxcc-f52p-wc94
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/serialize-javascript
  terser-webpack-plugin  <=1.4.3 || 2.0.0 - 2.3.5
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin
  node_modules/webpack/node_modules/terser-webpack-plugin

socket.io-parser  4.0.0 - 4.0.4
Severity: critical
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
fix available via `npm audit fix`
node_modules/socket.io-parser

sockjs  <0.3.20
Severity: moderate
Improper Input Validation in SocksJS-Node - https://github.com/advisories/GHSA-c9g6-9335-x697
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/sockjs

ssri  5.2.2 - 6.0.1 || 7.0.0 - 7.1.0 || 8.0.0
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/copy-webpack-plugin/node_modules/ssri
node_modules/make-fetch-happen/node_modules/ssri
node_modules/pacote/node_modules/ssri
node_modules/ssri
node_modules/terser-webpack-plugin/node_modules/ssri
node_modules/webpack/node_modules/ssri

tar  <=4.4.17 || 6.0.0 - 6.1.8
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
fix available via `npm audit fix`
node_modules/pacote/node_modules/tar
node_modules/tar
node_modules/watchpack/node_modules/fsevents/node_modules/tar
node_modules/webpack-dev-server/node_modules/fsevents/node_modules/tar

terser  <4.8.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/terser

url-parse  <=1.5.8
Severity: critical
Incorrect hostname / protocol due to unstripped leading control characters. - https://github.com/advisories/GHSA-jf5r-8hm2-f872
Authorization Bypass Through User-Controlled Key in url-parse - https://github.com/advisories/GHSA-hgjh-723h-mx2j
Authorization bypass in url-parse - https://github.com/advisories/GHSA-rqff-837h-mm52
Open redirect in url-parse - https://github.com/advisories/GHSA-hh27-ffr2-f2jc
Incorrect returned href via an '@' sign but no user info and hostname - https://github.com/advisories/GHSA-8v38-pw62-9cw2
Path traversal in url-parse - https://github.com/advisories/GHSA-9m6j-fcg5-2442
fix available via `npm audit fix`
node_modules/url-parse

webpack-subresource-integrity  <1.5.1
Unprotected dynamically loaded chunks - https://github.com/advisories/GHSA-4fc4-chg7-h8gh
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/webpack-subresource-integrity

websocket-extensions  <0.1.4
Severity: high
Regular Expression Denial of Service in websocket-extensions (NPM package) - https://github.com/advisories/GHSA-g78m-2chm-r7qv
fix available via `npm audit fix`
node_modules/websocket-extensions

ws  6.0.0 - 6.2.1
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/ws

y18n  4.0.0
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/y18n

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    protractor  5.4.4
    Depends on vulnerable versions of yargs
    node_modules/protractor

67 vulnerabilities (2 low, 22 moderate, 34 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Try to fix:

root@904886394ab1:/sdrangelspectrum# npm audit fix
npm WARN audit fix [email protected] node_modules/watchpack/node_modules/fsevents/node_modules/ini
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/watchpack/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/webpack-dev-server/node_modules/fsevents/node_modules/ini
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/webpack-dev-server/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/watchpack/node_modules/fsevents/node_modules/minimatch
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/watchpack/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/webpack-dev-server/node_modules/fsevents/node_modules/minimatch
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/webpack-dev-server/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/watchpack/node_modules/fsevents/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/watchpack/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/webpack-dev-server/node_modules/fsevents/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/webpack-dev-server/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/watchpack/node_modules/fsevents/node_modules/tar
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/watchpack/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/webpack-dev-server/node_modules/fsevents/node_modules/tar
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/webpack-dev-server/node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @angular/[email protected]
npm ERR! Found: @angular/[email protected]
npm ERR! node_modules/@angular/core
npm ERR!   @angular/core@"~11.0.5" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @angular/core@"9.1.4" from @angular/[email protected]
npm ERR! node_modules/@angular/animations
npm ERR!   @angular/animations@"^9.1.4" from the root project
npm ERR!   peer @angular/animations@"^9.0.0 || ^10.0.0-0" from @angular/[email protected]
npm ERR!   node_modules/@angular/material
npm ERR!     @angular/material@"^9.2.2" from the root project
npm ERR!   1 more (@angular/platform-browser)
npm ERR! 
npm ERR! Conflicting peer dependency: @angular/[email protected]
npm ERR! node_modules/@angular/core
npm ERR!   peer @angular/core@"9.1.4" from @angular/[email protected]
npm ERR!   node_modules/@angular/animations
npm ERR!     @angular/animations@"^9.1.4" from the root project
npm ERR!     peer @angular/animations@"^9.0.0 || ^10.0.0-0" from @angular/[email protected]
npm ERR!     node_modules/@angular/material
npm ERR!       @angular/material@"^9.2.2" from the root project
npm ERR!     1 more (@angular/platform-browser)
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /root/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2023-01-04T05_27_59_059Z-debug-0.log
root@904886394ab1:/sdrangelspectrum#

Try to build:

ng build --prod
Your global Angular CLI version (9.1.13) is greater than your local
version (9.1.4). The local Angular CLI version is used.

To disable this warning use "ng config -g cli.warnings.versionMismatch false".
This version of CLI is only compatible with Angular versions 0.0.0 || ^9.0.0-beta || >=9.0.0 <10.0.0,
but Angular version 11.0.5 was found instead.

Please visit the link below to find instructions on how to update Angular.
https://update.angular.io/

Temporary fix - use previous working commit

$ diff -c  Dockerfile Dockerfile.fix 
*** Dockerfile	2023-01-03 22:00:26.458079307 +0200
--- Dockerfile.fix	2023-01-04 08:40:40.070422302 +0200
***************
*** 22,27 ****
--- 22,29 ----
  RUN git clone https://github.com/f4exb/sdrangelspectrum.git -b ${branch} sdrangelspectrum \
      && echo "${clone_label}" > /dev/null
  WORKDIR /opt/build/sdrangelspectrum
+ # https://github.com/f4exb/sdrangel-docker/issues/43
+ RUN git checkout 88599944cb7155ff2fafd9b3e0ed27bb42d8eb6a
  RUN npm install \
      && ng build --prod \
      && mv dist /opt/build \
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@upya4ko