@angular-devkit/build-angular depends on vulnerable version of vite

[danielalexis]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Got a notification that the latest version of @angular-devkit/build-angular (v17.3.3) includes Vite 5.1.5 which has a vulnerability.

Github Advisory: GHSA-8jhw-289h-jh2g

Minimal Reproduction

Use the latest @angular-devkit/build-angular (v17.3.3), it will install vite 5.1.5

Exception or Error

No response

Your Environment

Angular CLI: 17.3.3
Node: 20.12.1
Package Manager: npm 10.5.1
OS: win32 x64

Angular: 17.3.2
... animations, cdk, common, compiler, compiler-cli, core, forms
... material, material-experimental, platform-browser
... platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1703.3
@angular-devkit/build-angular   17.3.3
@angular-devkit/core            17.3.3
@angular-devkit/schematics      17.3.3
@angular/cli                    17.3.3
@schematics/angular             17.3.3
rxjs                            7.8.1
typescript                      5.4.3
zone.js                         0.14.4

Anything else relevant?

Package Manager: NPM

[CuriousWizard]

This vulnerability notice also occurs when you create a new project with Angular CLI version 16.2.13 and run npm audit on it.

[miguellira]

Current workaround is to specify the following overrides in package.json:

  "overrides": {
    "undici": "^6.11.1",
    "vite": "~5.1.7"
  }

It is important to note that angular-memory-plugin generates a runtime error with the latest version of vite 5.2.8 which is why it is ~5.1.7 and not ^5.1.7

Excerpt of error

...
node_modules\@angular-devkit\build-angular\src\tools\vite\angular-memory-plugin.js:240:31
...
[vite] Internal server error: Failed to update Vite client error overlay text. (2)
      at loadViteClientCode

[lsmith77]

semi-related https://github.com/nodejs/undici/releases/tag/v6.11.1

[alan-agius4]

Closed via #27430 and #27429

[Fabrice-K]

@alan-agius4, please, can you tell me when the fix will be available on NPM Registry please.

[alan-agius4]

@Fabrice-K, typically, releases are done on Wednesdays

[Fabrice-K]

Alright, thanks for your reply.

…

On Tue, 9 Apr 2024, 18:28 Alan Agius, ***@***.***> wrote: @Fabrice-K <https://github.com/Fabrice-K>, typically, releases are done on Wednesdays — Reply to this email directly, view it on GitHub <#27409 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AT2TWZBCCBKZ2FFOHK5QHGDY4QJLLAVCNFSM6AAAAABFV3NGRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBVGYYTAMJQGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}