@angular-devkit/build-angular v18.2.14 has vulnerable dependency

[plvaliente]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

Vulnerability in esbuild package in @angular/build and @angular-devkit/build-angular v18.2.14

Description

The packages @angular/build and @angular-devkit/build-angular, version v18.2.14, have the vulnerable package esbuild listed as both a dependency and an optionalDependency in their package.json. The current version of esbuild used 0.23.0, is marked as vulnerable in versions <= 0.24.2.

Package.json files

In @angular-devkit/build-angular:

"optionalDependencies": {
  "esbuild": "0.23.0"
}

In @angular/build:

"dependencies": {
  ...
  "esbuild": "0.23.0",
  ...
}

The version of esbuild should be updated to 0.25.0 or higher to address the vulnerability.

Thank you!

Minimal Reproduction

Package.json files

In @angular-devkit/build-angular:

"optionalDependencies": {
  "esbuild": "0.23.0"
}

In @angular/build:

"dependencies": {
  ...
  "esbuild": "0.23.0",
  ...
}

Exception or Error

node_modules/esbuild
  @angular-devkit/build-angular  12.2.0-next.0 - 19.2.0-next.1
  Depends on vulnerable versions of @angular/build
  Depends on vulnerable versions of esbuild
  node_modules/@angular-devkit/build-angular
  @angular/build  *
  Depends on vulnerable versions of esbuild

Your Environment

Angular CLI: 18.2.14
Node: 20.18.1
Package Manager: npm 10.8.2
OS: win32 x64

Angular: 18.2.13
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1802.14
@angular-devkit/build-angular   18.2.14
@angular-devkit/core            18.2.14
@angular-devkit/schematics      18.2.14
@angular/cli                    18.2.14
@angular/localize               18.2.12
@schematics/angular             18.2.14
rxjs                            7.8.1
typescript                      5.5.4
webpack                         5.94.0
zone.js                         0.14.10

Anything else relevant?

No response

[JeanMeche]

You're probably hinting at GHSA-67mh-4wv8-2f99.
19.2.0 will be providing the update to 0.25.0.

Afaik Angular isn't impacted by this vulnerability as it doesn't use esbuild as dev-server (but vite).

[dgp1130]

We decided to hold off on merging for 19.2.0 just because the Vite release came up last minute and we didn't want to risk instability.

This will likely land in 19.2.1 next week (assuming no unrelated fast follow releases are necessary to fix issues in 19.2.0).

Also @JeanMeche is correct that we don't use esbuild dev server, so no applications should be affected by this vulnerability.

[RafaelGCPP]

@dgp1130 great news!

I was about to ask for bumping the vite dependency to 6.2.0. I am facing a racing condition on npm, as [email protected] depends on [email protected] and all the remaining modules are already pointing to [email protected].

Because of that, npm gets into a racing condition on both esbuild postinstall trying to remove the same optional dependency.

Bumping Angular to use [email protected] might solve this (I hope!)

Thanks for the good work folks!