Description
Which @angular/* package(s) are the source of the bug?
upgrade
Is this a regression?
No
Description
moderate severity vulnerabilities
vite
Affected versions
= 6.2.0, < 6.2.6
Patched versions
6.2.6
In package-lock.json show me "vite": "6.2.5"
Note:
vite the dependencies of node_modules/@angular/build
"version": "19.2.7"
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
C:\pr360-portal-v3\pr360>npm audit
# npm audit report
vite 6.2.0 - 6.2.5
Severity: moderate
Vite has an `server.fs.deny` bypass with an invalid `request-target` - https://github.com/advisories/GHSA-356w-63v5-8wf4
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@19.2.0, which is a breaking change
node_modules/@angular/build/node_modules/vite
@angular/build >=19.2.1
Depends on vulnerable versions of vite
node_modules/@angular/build
@angular-devkit/build-angular >=19.2.1
Depends on vulnerable versions of @angular/build
node_modules/@angular-devkit/build-angular
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Please provide the environment you discovered this bug in (run ng version)
Angular CLI: 19.2.7
Node: 22.14.0
Package Manager: npm 11.2.0
OS: win32 x64
Angular: 19.2.6
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, platform-server
... router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1902.7
@angular-devkit/build-angular 19.2.7
@angular-devkit/core 19.2.7
@angular-devkit/schematics 19.2.7
@angular/cli 19.2.7
@angular/ssr 19.2.7
@schematics/angular 19.2.7
rxjs 7.8.2
typescript 5.7.3
zone.js 0.15.0
Anything else?
it happens when create one new project angular 19.