Prototype pollution in @angular-devkit/build-angular caused by object-path < 0.11.5

[dennisheer]

🐞 Bug report

Command (mark with an x)

• npm audit
• new
• build
• serve
• test
• e2e
• generate
• add
• update
• lint
• xi18n
• run
• config
• help
• version
• doc

Is this a regression?

Yes, the previous version in which this bug was not present was: `0.901.6`. The affected version of `@angular-devkit/build-angular` is `0.1001.7`.

Description

Executing npm audit results in a high vulnerability (prototype-pollution) found for object-path < 0.11.5. See https://www.npmjs.com/advisories/1573 for further information.

🔬 Minimal Reproduction

1. Run ng new repro-app && cd repro-app
2. Install @angular-devkit/build-angular with version 0.1001.7 by running npm i @angular-devkit/build-angular@0.1001.7
3. (Run npm audit)

🔥 Exception or Error

🌍 Your Environment

Angular CLI: 10.1.7
Node: 12.19.0
OS: darwin x64

Angular: 10.1.6
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router, service-worker
Ivy Workspace: Yes

Package                            Version
------------------------------------------------------------
@angular-devkit/architect          0.1001.7
@angular-devkit/build-angular      0.1001.7
@angular-devkit/build-ng-packagr   0.1001.7
@angular-devkit/core               10.1.7
@angular-devkit/schematics         10.1.7
@angular/cdk                       10.2.5
@angular/cli                       10.1.7
@schematics/angular                10.1.7
@schematics/update                 0.1001.7
ng-packagr                         10.1.2
rxjs                               6.6.3
typescript                         4.0.3

Anything else relevant?

No.

[alan-agius4]

Blocked on bholloway/resolve-url-loader#170