search

angular / angular-cli

CLI tool for Angular
https://cli.angular.dev
MIT License
26.78k stars 11.98k forks source link

http-proxy-middleware outdated (Mend vulnerability CVE-2024-21536) #28680

Closed Devvox93 closed 3 weeks ago

Devvox93 commented 3 weeks ago

Command

other

Is this a regression?

The previous version in which this bug was not present was

No response

Description

build-angular 18.2.9 (and earlier versions) reference http-proxy-middleware 3.0.0, which contains a vulnerability. There is a version 3.0.3 that includes a fix. For more info, please see: https://dnb.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2024-21536

Minimal Reproduction

Use the latest angular packages (build-angular 18.2.9 at the moment of writing) and scan for vulnerabilities with a tool (like Whitesource Mend).

Exception or Error

No response

Your Environment

Angular CLI: 18.2.9 Node: 20.16.0 Package Manager: npm 10.8.3 OS: win32 x64

Angular: 18.2.8 ... animations, common, compiler, compiler-cli, core, forms ... platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1802.9 @angular-devkit/build-angular 18.2.9 @angular-devkit/core 18.2.9 @angular-devkit/schematics 18.2.9 @angular/cli 18.2.9 @schematics/angular 18.2.9 rxjs 7.8.1 typescript 5.5.4 zone.js 0.14.10

Anything else relevant?

It's not a major issue, since it's on a dev-dependency, but nevertheless it is flagged as a High impact vulnerability (raising red flags and blocks) in our organization and seems like an easy fix to update in build-angular.

AlejandroGimenezAxa commented 3 weeks ago

Hi, @angular/devkit-repo in v17 (17.3.9) points to http-proxy-middleware v2.0.6, that also has this problem. v2.0.7 has a fix too and it would be great to update it.

alan-agius4 commented 3 weeks ago

Closed via https://github.com/angular/angular-cli/pull/28692 and https://github.com/angular/angular-cli/pull/28691