I need some help understanding and properly correcting the vulnerabilities I see when I run an npm audit (or just npm install) on my Angular project. I just updated from Angular v12 to v13 and there were several vulnerabilities listed. Note, I already ran an 'npm install' and an 'npm update' but still get these audit warnings. The problem is, I don't understand which vulnerabilities I can fix by updating a package, without causing issues with Angular. I started investigating this and noticed that my angular dependencies don't even list the older version being called out by the npm audit, so apparently I don't even understand that.
Further below are 6 examples of audit warnings from over 20 that appear for the postcss package when I run 'npm audit' in my workspace. However, in my package-lock.json file, "@angular-devkit/build-angular" has a "requires" list that includes:
"postcss": "8.4.4",
"postcss-import": "14.0.2",
"postcss-loader": "6.2.1",
"postcss-preset-env": "6.7.0",
I have so many questions... first off, postcss is listed as 8.4.4 so I don't understand why I would have a version previous to 8.2.13 installed, per the audit warning. But, the audit warning says "Path @angular-devkit/build-angular > postcss-preset-env > autoprefixer > postcss"... so does this mean that postcss-preset-env is a different package that's using an older version of the postcss package as it's own dependency? More importantly, does this indicate that the older version (6.7.0 in this case) is required and if I update this or run the audit fix, that I'm not fulfilling the dependency here? After all, there's no caret (^6.7.0) so it seems to be indicating a specific version. I just can't tell what I can or should do here. I resolved other 'high' vulnerabilities that were not related to angular, but what do I do about these ones? Can I fix them without breaking my app? What command would actually update postcss-preset-env? Should I just ignore these as warnings the Angular team has already reviewed and gone ahead with, in their release?
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env >
autoprefixer > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env >
css-blank-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env >
css-has-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env >
css-prefers-color-scheme > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-preset-env >
postcss-attribute-case-insensitive > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
