Description
Command
other
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Running npm audit on an Angular 16 project with version 16.2.11 of @angular-devkit/build-angular reports a security vulnerability with vite.
vite 4.0.0 - 4.5.1
Severity: high
Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem - GHSA-c24v-8rfc-w8vw
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/vite
@angular-devkit/build-angular 16.0.0-next.0 - 17.0.10
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular
An update is needed to use the patched version of vite - 4.5.2. The recent revision of @angular-devkit-build-angular (e0e011f) only moved this up to 4.5.1 which is still affected (see link below).
Minimal Reproduction
- Create an angular v16 project with version 16.2.11 of @angular-devkit/build-angular.
- Run npm audit.
Exception or Error
No response
Your Environment
Angular CLI: 16.2.11
Node: 18.18.2
Package Manager: npm 9.8.1
OS: win32 x64
Angular: 16.2.12
... animations, common, compiler, compiler-cli, core, forms
... language-service, localize, platform-browser
... platform-browser-dynamic, platform-server, router
... service-worker
Package Version
------------------------------------------------------------
@angular-devkit/architect 0.1602.11
@angular-devkit/build-angular 16.2.11
@angular-devkit/core 16.2.11
@angular-devkit/schematics 16.2.11
@angular/cdk 16.2.13
@angular/cli 16.2.11
@angular/flex-layout 15.0.0-beta.42
@angular/material 16.2.13
@angular/material-moment-adapter 16.2.13
@schematics/angular 16.2.11
rxjs 7.8.1
typescript 4.9.5
zone.js 0.13.3
Anything else relevant?
No response