Which @angular/* package(s) are the source of the bug?
Don't known / other
Is this a regression?
Yes
Description
I just updated our Angular app from version 15 to 16.
After the update completed I get the following vulnerability issue for the package: @angular-devkit/build-angular:
# npm audit report
vite 4.3.0 - 4.3.8
Severity: high
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - https://github.com/advisories/GHSA-353f-5xf4-qw67
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@15.2.8, which is a breaking change
node_modules/vite
@angular-devkit/build-angular 16.0.0-next.0 - 16.1.0-next.1
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
As mentioned in the audit report there seems to be a vulnerability for version 16.0.0-next.0 - 16.1.0-next.1 of @angular-devkit/build-angular. In our package.json we reference the package with: ~16.0.4. As to my understanding it should not install the next versions but just the current stable version.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
# npm audit report
vite 4.3.0 - 4.3.8
Severity: high
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - https://github.com/advisories/GHSA-353f-5xf4-qw67
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@15.2.8, which is a breaking change
node_modules/vite
@angular-devkit/build-angular 16.0.0-next.0 - 16.1.0-next.1
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Please provide the environment you discovered this bug in (run ng version)
Angular CLI: 16.0.4
Node: 18.10
Anything else?
Sorry if this issue should have been created as a vulnerability report. But I wasn't exactly sure whether it is a bug or a vulnerability issue.
Which @angular/* package(s) are the source of the bug?
Don't known / other
Is this a regression?
Yes
Description
I just updated our Angular app from version 15 to 16.
After the update completed I get the following vulnerability issue for the package: @angular-devkit/build-angular:
As mentioned in the audit report there seems to be a vulnerability for version 16.0.0-next.0 - 16.1.0-next.1 of @angular-devkit/build-angular. In our package.json we reference the package with: ~16.0.4. As to my understanding it should not install the next versions but just the current stable version.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
Please provide the environment you discovered this bug in (run
ng version)Anything else?
Sorry if this issue should have been created as a vulnerability report. But I wasn't exactly sure whether it is a bug or a vulnerability issue.