Moderate GHSA issue with vite dependency to @angular/build@20.3.6 #31533
Description
Command
other
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
@angular/build@20.1.6
Description
Direct and transient dependency on vite@7.1.5 which has a moderate issue, fixed in 7.1.11 ("dev: trim trailing slash before server.fs.deny check").
Minimal Reproduction
$ npm audit
# npm audit report
vite 7.1.0 - 7.1.10
Severity: moderate
vite allows server.fs.deny bypass via backslash on Windows - https://github.com/advisories/GHSA-93m4-6634-74q7
fix available via `npm audit fix --force`
Will install @angular/build@20.1.6, which is a breaking change
node_modules/vite
@angular/build >=20.2.0-next.0
Depends on vulnerable versions of vite
node_modules/@angular/build
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
$ npm ls -a
...
├─┬ @angular/build@20.3.6
...
│ ├─┬ @vitejs/plugin-basic-ssl@2.1.0
│ │ └── vite@7.1.5 deduped
...
│ ├─┬ vite@7.1.5
...
$Exception or Error
Your Environment
Angular CLI: 20.3.6
Node: 22.19.0
Package Manager: npm 10.9.3
OS: linux x64
Angular: 20.3.6
... build, cli, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router
Package Version
------------------------------------
@angular-devkit/architect 0.2003.6
@angular-devkit/core 20.3.6
@angular-devkit/schematics 20.3.6
@schematics/angular 20.3.6
rxjs 7.8.2
typescript 5.9.3
Anything else relevant?
No response