bug(devDependencies): Too many vulnerabilities found by `yarn audit`

[kiddliu]

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

As the title indicates, too many vulnerabilities found by yarn audit and they're all about [dev] packages. We believe it may open to supply chain attacks, which are continue to rise in popularity and may affect a development environment, where in the right circumstances, can be exploited to pivot towards introducing flaws in software that gets released.

Reproduction

Steps to reproduce:

1. Switch to the main branch if not
2. Run yarn audit
3. The output shows a lot of critical/high vulnerabilities found

Expected Behavior

The vulnerabilities found in devDependencies packages should be fixed.

Actual Behavior

64 vulnerabilities found - Packages audited: 2759
Severity: 3 Low | 16 Moderate | 32 High | 13 Critical

Environment

• Angular: N/A
• CDK/Material: 15.1.0-next.2
• Browser(s): N/A
• Operating System (e.g. Windows, macOS, Ubuntu): Microsoft Windows [Version 10.0.25267.1000]

[andrewseguin]

@josephperrott Any thoughts on whether this is a legit security concern? Are we up to date on our package versions?