# Static Application Scanning Angular: Resolving lodash npm audit

Static Application Scanning (SAST) is the principle of looking for well-known security issues at compile time. it spans tools that look for common coding errors (super lints), tools that are dictionary-based (e.g. looking up CVE), and looking for well-known configuration errors.

Our practice with SAST is to run it in our CI pipeline on build. This can sometimes be a bit irritating since the build will suddenly fail due to a newly-found error. But, its better than shipping that problem to our customers.

So, lets give this a try with Angular 10. Brand shiny new.

```
$ ng new --defaults npm-audit-angular
$ cd npm-audit-angular
$ npm ci
$ npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular/cli > inquirer > lodash                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1523                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
...
found 281 low severity vulnerabilities in 1465 scanned packages
  281 vulnerabilities require manual review. See the full report for details.
```

OK, that's not good, we have 281 issues and we haven't even started! Worse, at this writing, there is no fix (<https://github.com/lodash/lodash/pull/4759> has been merged tho).

So, the technique we can use... eyeball the error and assess whether we want to block our release. If we don't, we can use better-npm-audit:

```
$ npm install --save-dev better-npm-audit
# edit package.json, insert audit script:
{
  "name": "npm-audit-angular",
  "version": "0.0.0",
  "scripts": {
 ...
    "e2e": "ng e2e",
    "audit": "node node_modules/better-npm-audit audit -i 1523"
  },
$ npm run audit
```

So now we can run audit, we have (temporarily) ignored 1523, pending a new release. Now, once the new release comes up, we will run into the second problem: some packages we rely on will still pin to the unfixed version. So then we will use `<a href="https://www.npmjs.com/package/npm-force-resolutions">npm-force-resolutions</a>`.