Skip to content

@angular-devkit/build-angular depends on vulnerable version of vite #26916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task
ojpbay opened this issue Jan 22, 2024 · 4 comments
Closed
1 task

@angular-devkit/build-angular depends on vulnerable version of vite #26916

ojpbay opened this issue Jan 22, 2024 · 4 comments
Labels
area: @angular-devkit/build-angular severity6: security

Comments

@ojpbay
Copy link

ojpbay commented Jan 22, 2024
edited
Loading

Command

other

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on an Angular 16 project with version 16.2.11 of @angular-devkit/build-angular reports a security vulnerability with vite.

vite 4.0.0 - 4.5.1
Severity: high
Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem - GHSA-c24v-8rfc-w8vw
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/vite
@angular-devkit/build-angular 16.0.0-next.0 - 17.0.10
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular

An update is needed to use the patched version of vite - 4.5.2. The recent revision of @angular-devkit-build-angular (e0e011f) only moved this up to 4.5.1 which is still affected (see link below).

GHSA-c24v-8rfc-w8vw

Minimal Reproduction

  1. Create an angular v16 project with version 16.2.11 of @angular-devkit/build-angular.
  2. Run npm audit.

Exception or Error

No response

Your Environment

Angular CLI: 16.2.11
Node: 18.18.2
Package Manager: npm 9.8.1
OS: win32 x64

Angular: 16.2.12
... animations, common, compiler, compiler-cli, core, forms
... language-service, localize, platform-browser
... platform-browser-dynamic, platform-server, router
... service-worker

Package                            Version
------------------------------------------------------------
@angular-devkit/architect          0.1602.11
@angular-devkit/build-angular      16.2.11
@angular-devkit/core               16.2.11
@angular-devkit/schematics         16.2.11
@angular/cdk                       16.2.13
@angular/cli                       16.2.11
@angular/flex-layout               15.0.0-beta.42
@angular/material                  16.2.13
@angular/material-moment-adapter   16.2.13
@schematics/angular                16.2.11
rxjs                               7.8.1
typescript                         4.9.5
zone.js                            0.13.3

Anything else relevant?

No response
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jan 22, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v4.5.2
8086d96 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes angular#26916
@alan-agius4 alan-agius4 mentioned this issue Jan 22, 2024
Merged
alan-agius4 added a commit that referenced this issue Jan 22, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v4.5.2
5fad401 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes #26916
@alan-agius4
Copy link
Collaborator

Closed via #26919

@ojpbay
Copy link
Author

ojpbay commented Jan 22, 2024

@alan-agius4 many thanks for the speedy response. Do you have an idea when the fix will be released?

@alan-agius4
Copy link
Collaborator

@ojpbay, it should be released this Wednesday.

alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jan 23, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v4.5.2
9b728e3 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes angular#26916
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jan 23, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v4.5.2
23962ed 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes angular#26916
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jan 23, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v5.0.12
e35465f 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes angular#26916
@alan-agius4 alan-agius4 mentioned this issue Jan 23, 2024
Merged
@JeanMeche JeanMeche mentioned this issue Jan 23, 2024
Closed
1 task
alan-agius4 added a commit that referenced this issue Jan 23, 2024
@alan-agius4
fix(@angular-devkit/build-angular): update dependency vite to v5.0.12
4e2b23f 
This commit updates vite to address GHSA-c24v-8rfc-w8vw

Closes #26916
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area: @angular-devkit/build-angular severity6: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ojpbay @alan-agius4