vulnerable package version of custom-webpack being used inside build-angular for v12

[iRealNirmal]

Recently GitHub dependbot showing vulnerability for ansi-html in package-lock.json for projects.

On back tracking it was coming from webpack-dev-server version 3.11.2 but it's removed in 3.11.3 patch update.

Once webpack-dev-server version is updated to v3.11.3 this issue will be resolved.

[gonadarian]

We have the same issue on our team. This high severity security vulnerability was detected by GitHub way back in September: GHSA-whgm-jr23-g3j9 and is one of the last open issues we have, but we can't resolve it ourselves.

Will we have to move to v13 to get this fixed or could v12 be updated here: https://github.com/angular/angular-cli/blob/12.2.x/packages/angular_devkit/build_angular/package.json#L75, as well?

[iRealNirmal]

@gonadarian as per my analysis just it has to be updated to version 3.11.3. I can even work on PR but I need confirmation from any person from angular team.

@alan-agius4 do you have any input in this ?

[gonadarian]

@iRealNirmal, agreed - 3.11.3 switched from ansi-html to its fork ansi-html-community where this was fixed in mahdyar/ansi-html-community@283cda2.

[iRealNirmal]

@alan-agius4 I can help in this, is it possible to assign it to me. If you think other wise then let me know.

[alan-agius4]

@iRealNirmal, sure.

Note that you need to do 2 PRs, one for the v11 and another for v12.