jordan-hall / angular-material-rail-drawer-plugin Goto Github PK

View Code? Open in Web Editor NEW

47.0 47.0 13.0 1005 KB

Angular Material extension for mini/rail drawer variant

License: Other

JavaScript 1.11% TypeScript 98.89%

angular-material-rail-drawer-plugin's People

Contributors

Stargazers

Watchers

Forkers

zandole raftario ben0421 jfbloom22 gallimathias mgaert yoshi-dev rukhsar08 hiro-a-c-3 cawado braincompiler sandeepthomas sebveit

angular-material-rail-drawer-plugin's Issues

CVE-2020-7693 (Medium) detected in sockjs-0.3.19.tgz

CVE-2020-7693 - Medium Severity Vulnerability

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/sockjs/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28498 (Medium) detected in elliptic-6.5.2.tgz

CVE-2020-28498 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/elliptic/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- webpack-4.42.0.tgz
  - node-libs-browser-2.2.1.tgz
    - crypto-browserify-3.12.0.tgz
      - browserify-sign-4.1.0.tgz
        
        ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Step up your Open Source Security Game with WhiteSource here

Blinking when opens

Hi! When sidenav gets opened it blinks for a moment.
This can be seen at stackblitz from a recent issue: https://stackblitz.com/edit/angular-material-mini-variant

When the sidenav's background is white it's not a big deal, but when it's colored the flash becomes apparent. Blink happens only on opening, not closing.

Type '"rail"' is not assignable to type 'MatDrawerMode'

When following the installation steps outlined in the readme and running ng build
I receive the following error:

Error: src/app/components/navigation/navigation.component.html:13:38 - error TS2322: Type '"rail"' is not assignable to type 'MatDrawerMode'.

13   <mat-sidenav #left class="sidenav" mode="rail" opened closeWidth="60px" expandedWidth="200px"
                                        ~~~~

  src/app/components/navigation/navigation.component.ts:5:16
    5   templateUrl: './navigation.component.html',
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Error occurs in the template of component NavigationComponent.

I am using angular 12.1.2, node 14.16.
Below is my package.json dependencies


"dependencies": {
    "@angular/animations": "~12.1.2",
    "@angular/cdk": "^12.1.2",
    "@angular/common": "~12.1.2",
    "@angular/compiler": "~12.1.2",
    "@angular/core": "~12.1.2",
    "@angular/forms": "~12.1.2",
    "@angular/material": "^12.1.2",
    "@angular/platform-browser": "~12.1.2",
    "@angular/platform-browser-dynamic": "~12.1.2",
    "@angular/router": "~12.1.2",
    "@datorama/akita": "^6.2.1",
    "angular-material-rail-drawer": "0.0.6",
    "angular-oauth2-oidc": "^10.0.3",
    "angular-pipes": "^10.0.0",
    "rxjs": "~6.6.0",
    "tslib": "^2.0.0",
    "zone.js": "~0.11.4"
  }

here is my app.module.ts


import { LayoutModule } from '@angular/cdk/layout';
import { HttpClientModule } from '@angular/common/http';
import { NgModule } from '@angular/core';
import { BrowserModule } from '@angular/platform-browser';
import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
import { DrawerRailModule } from 'angular-material-rail-drawer';
import { OAuthModule } from 'angular-oauth2-oidc';
import { NgArrayPipesModule, NgWherePipeModule } from 'angular-pipes';

import { AppRoutingModule } from './app-routing.module';
import { AppComponent } from './app.component';
import { HealthComponent } from './components/health/health.component';
import { HomeComponent } from './components/home/home.component';
import { LogoutComponent } from './components/logout/logout.component';
import { NavigationComponent } from './components/navigation/navigation.component';
import { SnackBarMessageComponent } from './components/snack-bar-message/snack-bar-message.component';
import { AdministrationModule } from './modules/administration/administration.module';
import { GravityMaterialModule } from './modules/gravity-material/gravity-material.module';
import { AuthGuard } from './services/auth-guard/auth-guard.service';
import { ConfigModule } from './services/config/config.module';

@NgModule({
  declarations: [
    AppComponent,
    NavigationComponent,
    HomeComponent,
    HealthComponent,
    LogoutComponent,
    SnackBarMessageComponent
  ],
  imports: [
    OAuthModule.forRoot(),
    NgArrayPipesModule,
    NgWherePipeModule,
    BrowserModule,
    AppRoutingModule,
    BrowserAnimationsModule,
    HttpClientModule,
    LayoutModule,
DrawerRailModule,
    MyMaterialModule,
    AdministrationModule,
    ConfigModule
    
  ],
  providers: [AuthGuard],
  bootstrap: [AppComponent],
})
export class AppModule {}

In my navigation.component that has the mat-sidenav here is the markup

  <mat-sidenav #left class="sidenav" mode="rail" opened closeWidth="60px" expandedWidth="200px"
    [fixedInViewport]="true" [fixedTopGap]="65">

I am not sure if this is angular version issue or if I am missing something. I have my material modules in a separate module, i.e. MyMaterialModule which is imported into the appModule, I have also tried moving the DrawerRailModule to AppModule but this did not help. I can provide more information if required.

Upgrading to Angular 10 gives dependency error

Hi there,

1st - Thank you! Its amazing that the Angular Material team don't have this in their original control. I would have thought it was a common use case.

2nd - I just upgraded from Angular 9.1.5 to v10 (which was only released yesterday) and when doing the Material part of the upgrade, it rejects it with a dependency error as you've marked your plugin to use < 10.0.0. I used the --forced option to complete the upgrade and the control still works. Granted I've only been testing in Chrome so far. Just checked the Angular Material documentation and it still does not make mention of mode="rail" as one of the options. So I think its safe for you to raise the dependency version to allow the upgrade without using --forced.

Prevent autoscroll

Hello, I have ran into a strange behavior today. When using a mat-toolbar as a header outside of the mat-sidenav-container, the page will autoscroll to only fit the sidenav thus hiding the header.
I'm on a project where I need to have the header on top of the sidenav.
If you want to reproduce, just use your example (BTW you forgot to add your plugin "angular-material-rail-drawer-plugin" dependancy inside it) and replace home.component.html with the following :

<mat-toolbar color="primary" class="mat-elevation-z1">
  <button mat-icon-button id="menu" (click)="appDrawer.toggle()">
    <mat-icon>menu</mat-icon>
  </button>
  <span>Mini Variant</span>
</mat-toolbar>
<mat-sidenav-container>
  <mat-sidenav #appDrawer mode="rail" opened="true">
    <mat-nav-list class="dashboard">
        <a mat-list-item>
          <mat-icon mat-list-icon >account_circle</mat-icon>
          <p matLine>Name</p>
        </a>

        <mat-divider></mat-divider>

        <a mat-list-item>
						<mat-icon mat-list-icon>inbox</mat-icon>
						<p matLine>Inbox</p>
				</a>
        <a mat-list-item>
						<mat-icon mat-list-icon>star</mat-icon>
						<p matLine>Starred</p>
				</a>
        <a mat-list-item>
						<mat-icon mat-list-icon>drafts</mat-icon>
						<p matLine >Drafts</p>
				</a>
    </mat-nav-list>
  </mat-sidenav>
  <mat-sidenav-content>
    <mat-toolbar color="primary" class="mat-elevation-z1">
      <button mat-icon-button id="menu" (click)="appDrawer.toggle()">
        <mat-icon>menu</mat-icon>
      </button>
      <span>Mini Variant</span>
    </mat-toolbar>
    <div class="container">
      <h1 style="text-transform: uppercase">
        Angular Material Navigation drawer — Adding support mode = “Rail” (mini variant behaviour)
      </h1>
    <p>Since 2016, the Angular community has been shouting out of a <a href="https://github.com/angular/components/issues/1728" class="cl gt gu gv gw gx" target="_blank" rel="noopener nofollow">mini variant for material design</a>, including this article by <a href="https://medium.com/u/2a8339499ae0?source=post_page-----8f7b107700b3----------------------" class="gy be gt" target="_blank" rel="noopener">Harkirat Singh</a> which you can view here: <a class="cl gt gu gv gw gx" target="_blank" rel="noopener" href="/@harkiratsingh.026/angular-6-mini-variant-drawer-d5326be55dd1">Angular 6 — Mini-Variant Drawer</a>. Unfortunately every version I’ve seen currently uses some form of *ngIf</p>
    
    <figure><div><div><iframe src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fstackblitz.com%2Fedit%2Fangular-jwbu9k%3Fembed%3D1%26file%3Dsrc%252Fapp%252Fminivariant.component.ts&amp;display_name=StackBlitz&amp;url=https%3A%2F%2Fstackblitz.com%2Fedit%2Fangular-jwbu9k%3Ffile%3Dsrc%252Fapp%252Fminivariant.component.ts&amp;image=https%3A%2F%2Fc.staticblitz.com%2Fassets%2Ficon-664493542621427cc8adae5e8f50d632f87aaa6ea1ce5b01e9a3d05b57940a9f.png&amp;key=a19fcc184b9711e1b4764040d3dc5c07&amp;type=text%2Fhtml&amp;schema=stackblitz" allowfullscreen="" frameborder="0" height="400" width="100%" title="angular-jwbu9k - StackBlitz" scrolling="auto"></iframe></div></div></figure>
    
    
    <p>Other solutions include using CSS and setting a min with; however, what all of these solutions are lacking are animation support and straight forward implantation. In late December a client I was working for, wanted to use the official <a href="https://material.angular.io/" target="_blank" rel="noopener nofollow">Angular Material design</a> but also wanted to support a mini variant. At the time, I wrote a prototype using a customer directive called <code>mat-nav-mini.</code></p>
    
    <h2>My issues with <code>mat-nav-mini</code> Solution</h2>
    
    <p>The implementation was easy. You pick either the drawer or the sidenav drawer and add the custom directive. However, the UI was written abstract and wasn’t using the official <code>mat-sidenav-container.</code> However, I still didn’t like this approach; it felt bulky and still not a “realistic” implementation that the official team my introduce. At the time, I decided to share the result on <a href="https://github.com/angular/components/issues/1728#issuecomment-576750289"  target="_blank" rel="noopener nofollow">Github</a> for people to use as a cleaner implementation to *ngIf.</p>
    
    <p>Then the other day, I looked back through the thread on GitHub, and someone called <a href="https://github.com/angular/components/issues/1728#issuecomment-617342659" target="_blank" rel="noopener nofollow">Angelfraga</a> asked to create a working example.</p>
    
    <figure><div><div><div><div><img width="100%"  srcset="https://miro.medium.com/max/552/1*jO-d5LA3lHl0lqq3VO8Nzg.png 276w, https://miro.medium.com/max/1104/1*jO-d5LA3lHl0lqq3VO8Nzg.png 552w, https://miro.medium.com/max/1280/1*jO-d5LA3lHl0lqq3VO8Nzg.png 640w, https://miro.medium.com/max/1400/1*jO-d5LA3lHl0lqq3VO8Nzg.png 700w" sizes="700px" role="presentation" src="https://miro.medium.com/max/753/1*jO-d5LA3lHl0lqq3VO8Nzg.png"><noscript><img class="s t u ik ai" src="https://miro.medium.com/max/1506/1*jO-d5LA3lHl0lqq3VO8Nzg.png" width="753" height="229" srcSet="https://miro.medium.com/max/552/1*jO-d5LA3lHl0lqq3VO8Nzg.png 276w, https://miro.medium.com/max/1104/1*jO-d5LA3lHl0lqq3VO8Nzg.png 552w, https://miro.medium.com/max/1280/1*jO-d5LA3lHl0lqq3VO8Nzg.png 640w, https://miro.medium.com/max/1400/1*jO-d5LA3lHl0lqq3VO8Nzg.png 700w" sizes="700px" role="presentation"/></noscript></div></div></div></div></figure>
    
    <p>A few more days have passed by, and I decided, I’ll make a working example. However, for the working example, I wanted to make the right implementation that meet my strict objectives</p>
    
    <ul class="">
      <li>They should be no new directive.</li>
      <li>No extra markup to ensure element was hiding</li>
      <li>Simple end-user implementation</li>
      <li>Something that should be relatively easy to migrate if Angular Material get chance to make an official release</li>
    </ul>
    
    <h2>Designing a solution</h2>
    <p>Material has long last drawn up specs for <a href="https://material.io/components/navigation-rail" target="_blank" rel="noopener nofollow">“Navigation rail.”</a> Inside the Specs they a behaviour usage: “Some apps, such as <a href="https://material.io/design/material-studies/reply" target="_blank" rel="noopener nofollow">Material’s Reply</a>, customize and extend the rail to function as both a rail and a navigation drawer.”</p>
    
    
    <p>The goal is now to create a drawer implementation for a new mode setting <code>mode="rail".</code> Any new implementation should be implementing the existing material drawer component but with <code >mode="rail"</code>.</p>
    
    <p>The solution meant no extending drawer component, no CSS solution but somehow adding functionality to “mode” which was an input for both md-drawer and md-sidenav-drawer</p>
    
    <h2>Solving the the problem</h2>
    <p>The first step was determining the first issue to overcome. The design solution requires you to use the mode input with the option of “rail” this was easy to overcome as every <code >@Input()</code>In angular is a simple implementation of the custom directive.</p>
    
    <p>The next problem was the SCSS. Looking at the specs for Navigation rail, the drawer would be the same spec as the “side” drawer; this meant we didn’t have to write custom scss file that needed to import. That allowed me to use the “host” property and assign the same class as “side”.</p>
    <p>After tackling these two issues, after two hours of work, looking through angular code file, I managed to come up with a solution. The solution is a simple directive that needs to include in your module.</p>
    
    <p><strong class="gb jq">Result</strong> is the page you are looking at. <a href="https://stackblitz.com/edit/angular-material-mini-variant">View Source</a></p>
    </div>
    
  </mat-sidenav-content>
</mat-sidenav-container>

You'll see that when clicking on the sidebar on any of the icons, the page will "jump" to hide the header.

CVE-2020-28500 (Medium) detected in lodash-4.17.15.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/lodash/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Step up your Open Source Security Game with WhiteSource here

Mode does not work for property binding values

Hi Jordan.

Thank you for the plugin and for sharing is with the community!

I would like to make the mode conditional (based on media queries) but as soon as I change the mode to a property binding value, it defaults to 'over'.

<mat-sidenav #appDrawer [mode]="mode" opened="true">

import { Component, ViewChild, ElementRef } from '@angular/core';

@Component()
export class AppComponent {
  mode = 'rail';
}

Please can you point me in the right direction?
Thanking you
Amanda

Navbar doesn't keeps the box shadow while closed

If I use a box-shadow, the side-nav (mode="rail"), keeps it only when opened. When I close, the box-shadow disapear.

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: /tmp/ws-scm/angular-material-rail-drawer-plugin/node_modules/lodash/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js

jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

❌ jquery-1.4.4.min.js (Vulnerable Library)

jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html,angular-material-rail-drawer-plugin/node_modules/sockjs/examples/express-3.x/index.html,angular-material-rail-drawer-plugin/node_modules/sockjs/examples/multiplex/index.html,angular-material-rail-drawer-plugin/node_modules/sockjs/examples/express/index.html,angular-material-rail-drawer-plugin/node_modules/sockjs/examples/echo/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

Current mode (mini/expanded) API variable

Hello, is there any API variable that can tell programatically if the drawer is in mini or expanded mode ?
I've seen that you've added APIs that I were searching for yesterday so maybe you have this one too ?

CVE-2020-36049 (High) detected in socket.io-parser-3.2.0.tgz

CVE-2020-36049 - High Severity Vulnerability

Vulnerable Library - socket.io-parser-3.2.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/socket.io-parser/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- socket.io-2.1.1.tgz
  - ❌ socket.io-parser-3.2.0.tgz (Vulnerable Library)

Vulnerability Details

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Publish Date: 2021-01-08

URL: CVE-2020-36049

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049

Release Date: 2021-01-08

Fix Resolution: socket.io-parser - 3.4.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.15.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/lodash/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with WhiteSource here

WS-2020-0091 (High) detected in http-proxy-1.18.0.tgz

WS-2020-0091 - High Severity Vulnerability

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/http-proxy/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-31597 (Medium) detected in xmlhttprequest-ssl-1.5.5.tgz

CVE-2021-31597 - Medium Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- socket.io-2.1.1.tgz
  - socket.io-client-2.1.1.tgz
    - engine.io-client-3.2.1.tgz
      - ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution: xmlhttprequest-ssl - 1.6.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 (Medium) detected in browserslist-4.12.0.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.12.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.12.0.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/browserslist/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- ❌ browserslist-4.12.0.tgz (Vulnerable Library)

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

Console error

It happens either on https://stackblitz.com/edit/angular-material-mini-variant or in my own project using your rail drawer plugin.

`
ERROR TypeError: Cannot read property 'style' of null
at DefaultDomRenderer2.setStyle (dom_renderer.ts:192)
at BaseAnimationRenderer.setStyle (animation_renderer.ts:176)
at DebugRenderer2.setStyle (services.ts:804)
at MatDrawerRailDirective.ngAfterContentInit (drawer-rail.directive.ts:70)
at callProviderLifecycles (provider.ts:562)
at callElementProvidersLifecycles (provider.ts:541)
at callLifecycleHooksChildrenFirst (provider.ts:529)
at checkAndUpdateView (view.ts:365)
at callViewAction (view.ts:615)
at execComponentViewsAction (view.ts:559)

`
That was get at the console of Chrome in the url above.

CVE-2020-36048 (High) detected in engine.io-3.2.1.tgz

CVE-2020-36048 - High Severity Vulnerability

Vulnerable Library - engine.io-3.2.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/engine.io/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- socket.io-2.1.1.tgz
  - ❌ engine.io-3.2.1.tgz (Vulnerable Library)

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution: engine.io - 4.0.0

Step up your Open Source Security Game with WhiteSource here

Discontinuation of Support for Angular V17 and Future Directions

Hello community,

I wanted to bring to your attention that the angular-material-rail-drawer package will no longer be updated to support Angular V17 and future versions. This decision has been made after careful consideration, and I'd like to share the reasons behind it:

Historical Context: The need for this feature was first highlighted in an issue dating back to Nov 4, 2016. Recognizing the community's demand and the lack of progress on the official front, I took the initiative to create this package and submitted a PR on May 12, 2020. Despite the clear demand and the passage of time, the concerns and needs of the community, in my humble view, seem to have been either ignored or given a lower priority by the Angular team.
New Syntax: Angular V17 introduces a new syntax that, in my opinion, is not in the best interest of developers. The changes seem to complicate rather than simplify the development process, making it less intuitive and more challenging to adopt.
Direction of Angular: Beyond just the syntax, the overall direction in which Angular is heading raises concerns. The framework's evolution seems to be diverging from the principles that made it popular in the first place.

Options Going Forward:

Continue Using Older Versions: If your project relies on versions of Angular prior to V17, you can continue using the angular-material-rail-drawer package without issues.
Hard Fork of Angular: For those who share similar concerns about Angular's direction, one option is to consider a hard fork of Angular. This would allow the community to maintain and evolve a version of Angular that aligns more closely with our preferences and needs.
Seek Alternatives: There are other frameworks and libraries available that might better suit your needs. It might be worth exploring these alternatives if Angular's direction is a significant concern.

Lastly, I want to express my gratitude to the Angular team for their hard work over the years. While I have personal disagreements with some of the decisions, I deeply appreciate their dedication and contributions to the community.

Thank you for your understanding and support.

WS-2020-0127 (Low) detected in npm-registry-fetch-4.0.4.tgz

WS-2020-0127 - Low Severity Vulnerability

Vulnerable Library - npm-registry-fetch-4.0.4.tgz

Fetch-based http client for use with npm registry APIs

Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-4.0.4.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/npm-registry-fetch/package.json

Dependency Hierarchy:

cli-9.1.5.tgz (Root Library)
- pacote-9.5.12.tgz
  - ❌ npm-registry-fetch-4.0.4.tgz (Vulnerable Library)

Vulnerability Details

npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.

Publish Date: 2020-07-07

URL: WS-2020-0127

CVSS 3 Score Details (3.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1544

Release Date: 2020-07-14

Fix Resolution: npm-registry-fetch - 4.0.5,8.1.1

Step up your Open Source Security Game with WhiteSource here

Resizing mat-sidenav covers hamburger menu, won't auto size to content within?

Hey thanks for this! I'm having a problem with the size of the . If I change the width, it covers the hamburger menu.

It's also not automatically sizing to the text of the buttons, as stated. If I have a longer button name, it wraps instead of pushing out the width to accommodate.

Spent quite a while viewing the source code but I can't find a way to change this? Please help, it's sooooooo close!

CVE-2020-7660 (High) detected in serialize-javascript-2.1.2.tgz

CVE-2020-7660 - High Severity Vulnerability

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
  - ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28502 (High) detected in xmlhttprequest-ssl-1.5.5.tgz

CVE-2020-28502 - High Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- socket.io-2.1.1.tgz
  - socket.io-client-2.1.1.tgz
    - engine.io-client-3.2.1.tgz
      - ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28502

Release Date: 2021-03-05

Fix Resolution: xmlhttprequest - 1.7.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js

jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

❌ jquery-1.4.4.min.js (Vulnerable Library)

jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28481 (Medium) detected in socket.io-2.1.1.tgz

CVE-2020-28481 - Medium Severity Vulnerability

Vulnerable Library - socket.io-2.1.1.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/socket.io/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)

Vulnerability Details

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Publish Date: 2021-01-19

URL: CVE-2020-28481

CVSS 3 Score Details (4.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481

Release Date: 2021-01-19

Fix Resolution: 2.4.0

Step up your Open Source Security Game with WhiteSource here

License

Hi there, Im currently checking out your package, great work! thank you very much!

One thing that is missing is a license (at least on npm) (hopefully like MIT or BSD,... :) ) such that I am allowed to use it for commercial applications

WS-2019-0424 (Medium) detected in elliptic-6.5.2.tgz

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/elliptic/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- webpack-4.42.0.tgz
  - node-libs-browser-2.2.1.tgz
    - crypto-browserify-3.12.0.tgz
      - browserify-sign-4.1.0.tgz
        
        ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Accidentally removed module from public_api.ts

It seems you removed the module from the public_api.ts accidentally: dd64664#diff-13acfda7a5a5e239d77d61503fc8655d27bba738385a9ff459bd25025bfbe860

I just updated to the latest version and my build broke. I found out there the DrawerRailModule is missed. After a short research I found the mistake. I also created a PR to fix this.

CVE-2020-8203 (High) detected in lodash-4.17.15.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/lodash/package.json

Dependency Hierarchy:

karma-5.0.5.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-11.1.1.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

protractor-5.4.4.tgz (Root Library)
- yargs-12.0.5.tgz
  - ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.7.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Angular 16 Support

Any plans to support angular 16?

Swap between Rail, Full or Hidden

I'm trying to create a SideNav that has 3 modes depending on the screen size. In mobile screens it will be fully hidden until the user clicks the "menu" icon, in medium screens it will show as a rail, and in large screens it will show as a full menu.

I tried to set this up using binding for the mode, but this doesn't work as per the previous issue. The only solution that "works" is for me to create multiple sidenavs and just show or hide the one I need, but this creates formatting issues.

How can I accomplish this?

CVE-2011-4969 (Medium) detected in jquery-1.4.4.min.js

CVE-2011-4969 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

❌ jquery-1.4.4.min.js (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js

jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

❌ jquery-1.4.4.min.js (Vulnerable Library)

jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

Generic type 'ɵɵDirectiveDeclaration' requires 6 type argument(s).

I am trying to integrate the rail into my project, and this is the error I am getting:

./node_modules/angular-material-rail-drawer/fesm2015/angular-material-rail-drawer.mjs - Error: Module build failed (from ./node_modules/@angular-devkit/build-angular/src/babel/webpack-loader.js):
TypeError: Cannot create property 'message' on string 'C:\baroloop\github\RPM-Frontend\node_modules\angular-material-rail-drawer\fesm2015\angular-material-rail-drawer.mjs: This application depends upon a library published using Angular version 14.0.6, which requires Angular version 14.0.0 or newer to work correctly.
Consider upgrading your application to use a more recent version of Angular.
at C:\baroloop\github\RPM-Frontend\node_modules\gensync\index.js:113:33
at step (C:\baroloop\github\RPM-Frontend\node_modules\gensync\index.js:287:14) at C:\baroloop\github\RPM-Frontend\node_modules\gensync\index.js:273:13 at async.call.result.err.err (C:\baroloop\github\RPM-Frontend\node_modules\gensync\index.js:223:11)
Error: node_modules/angular-material-rail-drawer/lib/drawer-rail.directive.d.ts:27:18 - error TS2314: Generic type 'ɵɵDirectiveDeclaration' requires 6 type argument(s).

27 static ɵdir: i0.ɵɵDirectiveDeclaration<MatDrawerRailDirective, "mat-sidenav[mode="rail"], mat-drawer[mode="rail"], mat-sidenav[rail-mode], mat-drawer[rail-mode]", never, { "openAnimation": "openAnimation"; "closeAnimation": "closeAnimation"; "closeWidth": "closeWidth"; "expandedWidth": "expandedWidth"; }, {}, never, never, false>; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any ideas how to fix this? Thanks in advance!

CVE-2020-11022 (Medium) detected in jquery-1.7.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: angular-material-rail-drawer-plugin/node_modules/sockjs/examples/hapi/html/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: e2a635ee3b3d0a5deb8a12c693a1948003799ec6

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Angular 15 compatibility

I just upgraded my app to angular 15 and am getting an error with rails because when you currently upgrade with @15 or @latest it installs angular 15.0.1 but it appears that the plugin is set for 15.0.0. Could that be updated to be ^15.0.0 instead so any version of 15 would work?

CVE-2020-13822 (High) detected in elliptic-6.5.2.tgz

CVE-2020-13822 - High Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: angular-material-rail-drawer-plugin/node_modules/elliptic/package.json

Dependency Hierarchy:

build-angular-0.901.5.tgz (Root Library)
- webpack-4.42.0.tgz
  - node-libs-browser-2.2.1.tgz
    - crypto-browserify-3.12.0.tgz
      - browserify-sign-4.1.0.tgz
        
        ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Step up your Open Source Security Game with WhiteSource here

Missing License

Hi there, Im currently checking out your package, great work! thank you very much!

One thing that is missing is a license (at least on npm) (hopefully like MIT or BSD,... :) ) such that I am allowed to use it for commercial applications

Support for position="end" on <mat-sidenav>

Thanks for this great contribution. Any plans on supporting right side drawer?

The current issue (version 0.0.4) can be reproduced by adding position="end" on your Stackblitz and toggle the drawer. The main content moves sideways.

CVE-2020-15366 (Medium) detected in ajv-6.12.0.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-6.12.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz

Path to dependency file: /tmp/ws-scm/angular-material-rail-drawer-plugin/package.json

Path to vulnerable library: /tmp/ws-scm/angular-material-rail-drawer-plugin/node_modules/ajv/package.json

Dependency Hierarchy:

build-angular-0.1000.6.tgz (Root Library)
- webpack-4.43.0.tgz
  - ❌ ajv-6.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 0799227358223988278a5d1101252574d1551d5a

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Step up your Open Source Security Game with WhiteSource here

jordan-hall / angular-material-rail-drawer-plugin Goto Github PK

angular-material-rail-drawer-plugin's People

Contributors

Stargazers

Watchers

Forkers

angular-material-rail-drawer-plugin's Issues

CVE-2020-7693 - Medium Severity Vulnerability

CVE-2020-28498 - Medium Severity Vulnerability

CVE-2020-28500 - Medium Severity Vulnerability

WS-2020-0070 - High Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2020-36049 - High Severity Vulnerability

CVE-2021-23337 - High Severity Vulnerability

WS-2020-0091 - High Severity Vulnerability

CVE-2021-31597 - Medium Severity Vulnerability

CVE-2021-23364 - Medium Severity Vulnerability

CVE-2020-36048 - High Severity Vulnerability

Discontinuation of Support for Angular V17 and Future Directions

Options Going Forward:

WS-2020-0127 - Low Severity Vulnerability

CVE-2020-7660 - High Severity Vulnerability

CVE-2020-28502 - High Severity Vulnerability

CVE-2012-6708 - Medium Severity Vulnerability

CVE-2020-28481 - Medium Severity Vulnerability

WS-2019-0424 - Medium Severity Vulnerability

CVE-2020-8203 - High Severity Vulnerability

CVE-2020-7608 - Medium Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

CVE-2011-4969 - Medium Severity Vulnerability

CVE-2020-7656 - Medium Severity Vulnerability

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2020-13822 - High Severity Vulnerability

CVE-2020-15366 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org