Skip to content

Angular 19 depends on vulnerable version of Vite #29936

New issue
New issue
Closed
Bug
Closed
Angular 19 depends on vulnerable version of Vite#29936
Bug
#29940 (+2)
Assignees
alan-agius4
Labels
area: @angular/buildfreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix
@json-derulo

Description

@json-derulo
json-derulo
opened on Mar 26, 2025

Command

other

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

The Angular CLI v19 depends on Vite version 6.2.0, which is vulnerable: GHSA-x574-m823-4x7w

It should be updated to v6.2.3

Minimal Reproduction

Generate a new error with ng new and run npm audit

Exception or Error

Your Environment

Angular CLI: 19.2.4
Node: 22.14.0
Package Manager: npm 11.2.0
OS: darwin arm64

Angular: 19.2.3
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.4
@angular-devkit/build-angular   19.2.4
@angular-devkit/core            19.2.4
@angular-devkit/schematics      19.2.4
@angular/cdk                    19.2.6
@angular/cli                    19.2.4
@angular/material               19.2.6
@schematics/angular             19.2.4
rxjs                            7.8.2
typescript                      5.8.2
zone.js                         0.15.0

Anything else relevant?

No response

Metadata

Metadata

Assignees

Labels

area: @angular/buildfreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions