angular-server-side-configuration@15.0.2 vulnerabilities

Configure an angular application on the server

Direct Vulnerabilities

Known vulnerabilities in the angular-server-side-configuration package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

angular-server-side-configuration is a Configure an angular application on the server

Affected versions of this package are vulnerable to Information Exposure. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to an ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the app's index.html (or defined index file).

In version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html.

Note This has no impact in a plain Angular project that has no backend component.

How to fix Information Exposure?

Upgrade angular-server-side-configuration to version 15.1.0 or higher.

>=15.0.0 <15.1.0