npm audit on a brand new v17 Angular CLI generated application returns vulnerabilities

[miguellira]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

16.2.0

Description

After installing the latest Angular CLI and creating an application via ng new, running npm audit reports vulnerabilities and the suggestion to fix would require a non v17 version of @angular-devkit/build-angular

Minimal Reproduction

1. Install latest Angular CLI: npm install -g @angular/cli
2. Create new application: ng new npm-audit-fails --style scss --ssr false --skip-git
3. Change directory to new app: cd npm-audit-fails
4. Run audit: npm audit

Exception or Error

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@16.2.10, which is a breaking change
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  >=2.24.0-rc1
    Depends on vulnerable versions of localtunnel
    node_modules/browser-sync
      @angular-devkit/build-angular  >=17.0.0-next.0
      Depends on vulnerable versions of browser-sync
      node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

### Your Environment

```text
Node.js version v21.1.0 detected.
Odd numbered Node.js versions will not enter LTS status and should not be used for production. For more information, please see https://nodejs.org/en/about/previous-releases/.

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 17.0.0
Node: 21.1.0 (Unsupported)
Package Manager: npm 10.2.3
OS: darwin arm64

Angular: 17.0.2
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1700.0
@angular-devkit/build-angular   17.0.0
@angular-devkit/core            17.0.0
@angular-devkit/schematics      17.0.0
@angular/cli                    17.0.0
@schematics/angular             17.0.0
rxjs                            7.8.1
typescript                      5.2.2
zone.js                         0.14.2
    
Warning: The current version of Node (21.1.0) is not supported by Angular.

### Anything else relevant?

I noticed that the report somehow references version `>=17.0.0-next.0` of `@angular-devkit/build-angular` instead of simply v17.

[dgp1130]

Latest localtunnel (2.0.2) is still using a vulnerable axios (0.21.4). There's already an issue filed to localtunnel to update the dependency: localtunnel/localtunnel#632. Until that's fixed, there's not much we can do about this.

browser-sync is only used for live reloading in ng serve and is used in local development only, so the risk here is fairly minimal. Rennovate should automatically pick up a version bump when it is available.

[jase88]

{
   ...
  "overrides": {
    "localtunnel": {
      "axios": "1.6.2"
    }
  }

Waiting on localtunnel/localtunnel#633