@angular-devkit/build-angular v18.2.12 has vulnerable dependency

[mkoncz]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

@angular-devkit/build-angular package with version v18.2.12 has a direct dependency in its package.json config: "vite": "5.4.6"

We can see in the Mend vulnerability database that the vite versions of from the 5.4.x series under 5.4.12 are vulnerable:
https://www.mend.io/vulnerability-database/CVE-2025-24010

The patch version of "vite" in the package.json of @angular-devkit/build-angular should be increased.

Minimal Reproduction

Command: ng build

package.json

 "devDependencies": {
    "@angular-devkit/build-angular": "~18.2.12",
    ...
 }

package-lock.json

 "node_modules/@angular/build": {
      "version": "18.2.12",
         "dependencies": {
             "vite": "5.4.6",
              ...
          },
       ....
  }

Exception or Error

Your Environment

Angular CLI: 18.2.12
Node: 18.20.4
Package Manager: npm 10.7.0
OS: darwin arm64

Angular: 18.2.13
... animations, common, compiler, compiler-cli, core, elements
... forms, platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1802.12
@angular-devkit/build-angular   18.2.12
@angular-devkit/core            18.2.12
@angular-devkit/schematics      18.2.12
@angular/cdk                    18.2.14
@angular/cli                    18.2.12
@schematics/angular             18.2.12
rxjs                            7.8.1
typescript                      5.5.4
zone.js                         0.14.10

Anything else relevant?

No response

[json-derulo]

Angular 19 projects using the latest versions also depend a vulnerable Vite version 6.0.7, it needs to be updated to 6.0.9 or later

[lsmith77]

looks like Angular 19 is covered here f836be9 with a risk of a BC break

[alan-agius4]

Closed via #29472 and #29471

[mkoncz]

Hi @alan-agius4,

Could you please provide some details on why this was closed?
I don't see any new major version release for version 18, and version 18.2.12 is marked as LTS.

Thank you!

[JeanMeche]

The LTS release hasn't happened yet. We release once a week.

[alan-agius4]

18.2.13 has been released on NPM.

[hcornelisonJHA]

Is this really fixed? The package.json file for 18.2.13 still shows that it depends on a vulnerable version of vite (5.4.6): https://www.npmjs.com/package/@angular-devkit/build-angular/v/18.2.13?activeTab=code

I bumped a project currently affected by CVE-2025-24010 from 18.2.12 to 18.2.13, and the npm audit still shows that there is a problem because of this.

{
"name": "@angular-devkit/build-angular",
"version": "18.2.13",
"description": "Angular Webpack Build Facade",
"main": "src/index.js",
"typings": "src/index.d.ts",
"builders": "builders.json",
"dependencies": {
"@ampproject/remapping": "2.3.0",
"@angular-devkit/architect": "0.1802.13",
"@angular-devkit/build-webpack": "0.1802.13",
"@angular-devkit/core": "18.2.13",
"@angular/build": "18.2.13",
"@babel/core": "7.25.2",
"@babel/generator": "7.25.0",
"@babel/helper-annotate-as-pure": "7.24.7",
"@babel/helper-split-export-declaration": "7.24.7",
"@babel/plugin-transform-async-generator-functions": "7.25.0",
"@babel/plugin-transform-async-to-generator": "7.24.7",
"@babel/plugin-transform-runtime": "7.24.7",
"@babel/preset-env": "7.25.3",
"@babel/runtime": "7.25.0",
"@discoveryjs/json-ext": "0.6.1",
"@ngtools/webpack": "18.2.13",
"@vitejs/plugin-basic-ssl": "1.1.0",
"ansi-colors": "4.1.3",
"autoprefixer": "10.4.20",
"babel-loader": "9.1.3",
"browserslist": "^4.21.5",
"copy-webpack-plugin": "12.0.2",
"critters": "0.0.24",
"css-loader": "7.1.2",
"esbuild-wasm": "0.23.0",
"fast-glob": "3.3.2",
"http-proxy-middleware": "3.0.3",
"https-proxy-agent": "7.0.5",
"istanbul-lib-instrument": "6.0.3",
"jsonc-parser": "3.3.1",
"karma-source-map-support": "1.4.0",
"less": "4.2.0",
"less-loader": "12.2.0",
"license-webpack-plugin": "4.0.2",
"loader-utils": "3.3.1",
"magic-string": "0.30.11",
"mini-css-extract-plugin": "2.9.0",
"mrmime": "2.0.0",
"open": "10.1.0",
"ora": "5.4.1",
"parse5-html-rewriting-stream": "7.0.0",
"picomatch": "4.0.2",
"piscina": "4.6.1",
"postcss": "8.4.41",
"postcss-loader": "8.1.1",
"resolve-url-loader": "5.0.0",
"rxjs": "7.8.1",
"sass": "1.77.6",
"sass-loader": "16.0.0",
"semver": "7.6.3",
"source-map-loader": "5.0.0",
"source-map-support": "0.5.21",
"terser": "5.31.6",
"tree-kill": "1.2.2",
"tslib": "2.6.3",
"vite": "5.4.6",
"watchpack": "2.4.1",
"webpack": "5.94.0",
"webpack-dev-middleware": "7.4.2",
"webpack-dev-server": "5.0.4",
"webpack-merge": "6.0.1",
"webpack-subresource-integrity": "5.1.0"
...

[alan-agius4]

Yeah, it looks like we missed a package.json version.