@angular-devkit/build-angular depends on vulnerable version of webpack-dev-middleware

[JainDhaval]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v16 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of webpack-dev-middleware.
See more details: GHSA-wr3j-pwj9-hqq6

Minimal Reproduction

Create new Angular v16 project.
Run npm audit in the project folder

Exception or Error

No response

Your Environment

Angular CLI: 16.2.10
Node: 18.18.1
Package Manager: npm 10.2.0
OS: win32 x64

Angular: 16.2.12
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1602.10
@angular-devkit/build-angular   16.2.12
@angular-devkit/core            16.2.10
@angular-devkit/schematics      16.2.10
@angular/cli                    16.2.10
@schematics/angular             16.2.10
rxjs                            7.8.1
typescript                      4.9.5
zone.js                         0.13.3

Anything else relevant?

No response

[kdemetter]

I'm also having this on Angular v17

[alan-agius4]

Fixed via #27335, #27336 and #27319

[ojpbay]

When will the fix be released?

[Dark-Light-20]

I see that @alan-agius4 comments that this issue is fixed from 3 PRs, but i don't see a PR for the branch 15.2.x to solve the issue on Angular 15 LTS.

[alan-agius4]

Version 15 PR #27337

[Dark-Light-20]

Version 15 PR #27337

Thanks 😸

[grenmath]

where is the new angular 15.2.11 ? i dont understand if merged 6.1.2 and how get this updted package in 15.2.10 ?

[alan-agius4]

Fix has been released in versions 15.2.11, 16.2.13, and 17.3.2.

[emandere]

Will the Webpack-dev-server be updated from 4.15.1 to 4.15.2? The 4.15.1 version references a vulnerable version of the webpack-dev-middleware library and version 4.15.2 fixes that

[alan-agius4]

@emandere, please update your lock file which will resolve the issue.

[WellingtonBraga]

HI @alan-agius4 ,

We have this vulnerability on build-angular version 15.2.11. The webpack-dev-middleware as direct dependency was updated in its package.json, but the webpack-dev-server is still demanding a vulnerable version of the middleware. Are you guys planning to do something about that?

Regards,
Wellington B.

[JeanMeche]

build-angular pulls webpack-dev-server:4.15.1 which then pulls webpack-dev-middleware: ^5.3.1.

The 5.3.4 is doesn't have the vulnerability. So you should be able to update it.

[WellingtonBraga]

Hi @JeanMeche , thanks for the answer.

I believe you must be talking about the 16+ versions of build-angular which are, as you said, pulling the version of webpack-dev-server that has fixed the vulnerability. However, I'm taking about version 15.2.11 of it, which still has the vulnerability.

It seems we fixed the direct dependency version in this commit, but given webpack-dev-server wasn't updated, the vulnerability seems to be still around.

I'm wondering if we have plans to fix the vulnerability and release it a new 15x version. Can you please help me with that?

Regards,
Wellington B.

[JeanMeche]

I was talking about v15.

• build-angular 15.2.11 pulls "webpack-dev-server": "4.11.1" see https://www.npmjs.com/package/@angular-devkit/build-angular/v/15.2.11?activeTab=code.
• webpack-dev-server 4.11.1 pulls "webpack-dev-middleware": "^5.3.1", see : https://www.npmjs.com/package/webpack-dev-server/v/4.11.1?activeTab=code

If you deletepackage-lock.json / node_modules , npm will load webpack-dev-middleware: 5.3.4.

[WellingtonBraga]

Hi @JeanMeche , Thanks again for the answer.

Removing yarn.lock isn't something we should do. Is there no plan at the moment to have an official fix for that aside of the one mentioned?

In case the answer is no, then maybe resolutions may help, but it's also something we don't usually do.

Sorry for bombed you with questions.

Regards,

[HelenaSeatCode]

Hi, @alan-agius4, @JeanMeche !!!
Is it possible to fix this for branch 14.2.x to solve the issue on Angular 14?
Regards,
Helena

[alan-agius4]

@HelenaSeatCode, version 14 is end-of-life. Please see https://angular.io/guide/releases#actively-supported-versions

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}