Angular 19 projects depend on vulnerable vite version

[json-derulo]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Angular 19 projects depend on Vite v6.2.6 which is vulnerable: GHSA-859w-5945-r5v3

Vite should be updated to v6.2.7.

Minimal Reproduction

Generate a new project and check the used versions of vite

Exception or Error

Your Environment

_                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 19.2.9
Node: 22.15.0
Package Manager: npm 11.3.0
OS: darwin arm64

Angular: 19.2.8
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.9
@angular-devkit/build-angular   19.2.9
@angular-devkit/core            19.2.9
@angular-devkit/schematics      19.2.9
@angular/cdk                    19.2.11
@angular/cli                    19.2.9
@angular/material               19.2.11
@schematics/angular             19.2.9
rxjs                            7.8.2
typescript                      5.8.3
zone.js                         0.15.0

Anything else relevant?

No response

[alan-agius4]

Closed via #30207

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}